Showing preview only (5,225K chars total). Download the full file or copy to clipboard to get everything.
Repository: sigstore/policy-controller
Branch: main
Commit: cc75baab1d34
Files: 813
Total size: 4.8 MB
Directory structure:
gitextract_s9p6qnqm/
├── .gitattributes
├── .github/
│ ├── dependabot.yml
│ └── workflows/
│ ├── build.yaml
│ ├── codeql-analysis.yml
│ ├── depsreview.yml
│ ├── donotsubmit.yaml
│ ├── kind-cluster-image-policy-no-tuf.yaml
│ ├── kind-cluster-image-policy-trustroot.yaml
│ ├── kind-cluster-image-policy-tsa.yaml
│ ├── kind-cluster-image-policy.yaml
│ ├── kind-e2e-cosigned.yaml
│ ├── kind-e2e-trustroot-crd.yaml
│ ├── lint.yaml
│ ├── milestone.yaml
│ ├── policy-tester-examples.yml
│ ├── release-snapshot.yaml
│ ├── release.yaml
│ ├── scorecard_action.yml
│ ├── style.yaml
│ ├── tests.yaml
│ ├── verify-codegen.yaml
│ ├── verify-docs.yaml
│ └── whitespace.yaml
├── .gitignore
├── .golangci.yml
├── .goreleaser.yaml
├── .ko.yaml
├── CHANGELOG.md
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── COPYRIGHT.txt
├── LICENSE
├── Makefile
├── README.md
├── cmd/
│ ├── api-docs/
│ │ └── main.go
│ ├── local-dev/
│ │ ├── clean.go
│ │ ├── main.go
│ │ ├── root.go
│ │ └── setup.go
│ ├── sample/
│ │ └── main.go
│ ├── schema/
│ │ └── main.go
│ ├── tester/
│ │ ├── main.go
│ │ └── trustroot.go
│ └── webhook/
│ ├── depcheck_test.go
│ └── main.go
├── config/
│ ├── 100-namespace.yaml
│ ├── 200-clusterrole.yaml
│ ├── 200-role.yaml
│ ├── 200-serviceaccount.yaml
│ ├── 201-clusterrolebinding.yaml
│ ├── 201-rolebinding.yaml
│ ├── 300-clusterimagepolicy.yaml
│ ├── 300-trustroot.yaml
│ ├── 400-webhook-service.yaml
│ ├── 500-webhook-configuration.yaml
│ ├── 501-policy-webhook-configurations.yaml
│ ├── config-image-policies.yaml
│ ├── config-leader-election.yaml
│ ├── config-logging.yaml
│ ├── config-observability.yaml
│ ├── config-policy-controller.yaml
│ ├── config-sigstore-keys.yaml
│ ├── dummy.go
│ ├── kustomization.yaml
│ └── webhook.yaml
├── docs/
│ └── api-types/
│ ├── index-v1alpha1.md
│ └── index.md
├── examples/
│ ├── README.md
│ ├── keys/
│ │ ├── cosign.key
│ │ └── cosign.pub
│ ├── policies/
│ │ ├── allow-only-pods.yaml
│ │ ├── custom-key-attestation-sbom-spdxjson.yaml
│ │ ├── keyless-attestation-sbom-spdxjson.yaml
│ │ ├── release-signed-by-github-actions.yaml
│ │ ├── signed-by-aws-kms-key.yaml
│ │ ├── signed-by-gcp-kms-key.yaml
│ │ └── signed-by-github-actions.yaml
│ └── sboms/
│ └── example.spdx.json
├── go.mod
├── go.sum
├── hack/
│ ├── boilerplate/
│ │ └── boilerplate.go.txt
│ ├── gentestdata/
│ │ └── gentestdata.go
│ ├── github-oidc-setup.sh
│ ├── tools.go
│ ├── update-codegen.sh
│ └── update-deps.sh
├── images/
│ └── dot/
│ └── signatures.dot
├── pkg/
│ ├── apis/
│ │ ├── config/
│ │ │ ├── doc.go
│ │ │ ├── image_policies.go
│ │ │ ├── image_policies_test.go
│ │ │ ├── sigstore_keys.go
│ │ │ ├── sigstore_keys_test.go
│ │ │ ├── store.go
│ │ │ ├── store_test.go
│ │ │ └── testdata/
│ │ │ ├── config-image-policies.yaml
│ │ │ ├── config-invalid-image-policy.yaml
│ │ │ └── config-sigstore-keys.yaml
│ │ ├── duck/
│ │ │ └── v1beta1/
│ │ │ ├── doc.go
│ │ │ ├── podscalable_defaults.go
│ │ │ ├── podscalable_defaults_test.go
│ │ │ ├── podscalable_implements_test.go
│ │ │ ├── podscalable_types.go
│ │ │ ├── podscalable_types_test.go
│ │ │ ├── podscalable_validation.go
│ │ │ ├── podscalable_validation_test.go
│ │ │ ├── register.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── glob/
│ │ │ ├── glob.go
│ │ │ └── glob_test.go
│ │ ├── policy/
│ │ │ ├── common/
│ │ │ │ ├── validation.go
│ │ │ │ └── validation_test.go
│ │ │ ├── register.go
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy_conversion.go
│ │ │ │ ├── clusterimagepolicy_conversion_test.go
│ │ │ │ ├── clusterimagepolicy_defaults.go
│ │ │ │ ├── clusterimagepolicy_defaults_test.go
│ │ │ │ ├── clusterimagepolicy_lifecycle.go
│ │ │ │ ├── clusterimagepolicy_lifecycle_test.go
│ │ │ │ ├── clusterimagepolicy_types.go
│ │ │ │ ├── clusterimagepolicy_validation.go
│ │ │ │ ├── clusterimagepolicy_validation_test.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── register.go
│ │ │ │ ├── trustroot_defaults.go
│ │ │ │ ├── trustroot_defaults_test.go
│ │ │ │ ├── trustroot_lifecycle.go
│ │ │ │ ├── trustroot_types.go
│ │ │ │ ├── trustroot_validation.go
│ │ │ │ ├── trustroot_validation_test.go
│ │ │ │ └── zz_generated.deepcopy.go
│ │ │ └── v1beta1/
│ │ │ ├── clusterimagepolicy_conversion.go
│ │ │ ├── clusterimagepolicy_conversion_test.go
│ │ │ ├── clusterimagepolicy_defaults.go
│ │ │ ├── clusterimagepolicy_defaults_test.go
│ │ │ ├── clusterimagepolicy_lifecycle.go
│ │ │ ├── clusterimagepolicy_types.go
│ │ │ ├── clusterimagepolicy_validation.go
│ │ │ ├── clusterimagepolicy_validation_test.go
│ │ │ ├── doc.go
│ │ │ ├── register.go
│ │ │ └── zz_generated.deepcopy.go
│ │ └── signaturealgo/
│ │ ├── signature_digest.go
│ │ └── signature_digest_test.go
│ ├── client/
│ │ ├── clientset/
│ │ │ └── versioned/
│ │ │ ├── clientset.go
│ │ │ ├── doc.go
│ │ │ ├── fake/
│ │ │ │ ├── clientset_generated.go
│ │ │ │ ├── doc.go
│ │ │ │ └── register.go
│ │ │ ├── scheme/
│ │ │ │ ├── doc.go
│ │ │ │ └── register.go
│ │ │ └── typed/
│ │ │ ├── duck/
│ │ │ │ └── v1beta1/
│ │ │ │ ├── doc.go
│ │ │ │ ├── duck_client.go
│ │ │ │ ├── fake/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ └── fake_duck_client.go
│ │ │ │ └── generated_expansion.go
│ │ │ └── policy/
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── fake/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── fake_clusterimagepolicy.go
│ │ │ │ │ ├── fake_policy_client.go
│ │ │ │ │ └── fake_trustroot.go
│ │ │ │ ├── generated_expansion.go
│ │ │ │ ├── policy_client.go
│ │ │ │ └── trustroot.go
│ │ │ └── v1beta1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── doc.go
│ │ │ ├── fake/
│ │ │ │ ├── doc.go
│ │ │ │ ├── fake_clusterimagepolicy.go
│ │ │ │ └── fake_policy_client.go
│ │ │ ├── generated_expansion.go
│ │ │ └── policy_client.go
│ │ ├── informers/
│ │ │ └── externalversions/
│ │ │ ├── factory.go
│ │ │ ├── generic.go
│ │ │ ├── internalinterfaces/
│ │ │ │ └── factory_interfaces.go
│ │ │ └── policy/
│ │ │ ├── interface.go
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ ├── interface.go
│ │ │ │ └── trustroot.go
│ │ │ └── v1beta1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ └── interface.go
│ │ ├── injection/
│ │ │ ├── client/
│ │ │ │ ├── client.go
│ │ │ │ └── fake/
│ │ │ │ └── fake.go
│ │ │ ├── ducks/
│ │ │ │ └── duck/
│ │ │ │ └── v1beta1/
│ │ │ │ └── podscalable/
│ │ │ │ ├── fake/
│ │ │ │ │ └── fake.go
│ │ │ │ └── podscalable.go
│ │ │ ├── informers/
│ │ │ │ ├── factory/
│ │ │ │ │ ├── factory.go
│ │ │ │ │ ├── fake/
│ │ │ │ │ │ └── fake.go
│ │ │ │ │ └── filtered/
│ │ │ │ │ ├── fake/
│ │ │ │ │ │ └── fake_filtered_factory.go
│ │ │ │ │ └── filtered_factory.go
│ │ │ │ └── policy/
│ │ │ │ ├── v1alpha1/
│ │ │ │ │ ├── clusterimagepolicy/
│ │ │ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ │ │ ├── fake/
│ │ │ │ │ │ │ └── fake.go
│ │ │ │ │ │ └── filtered/
│ │ │ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ │ │ └── fake/
│ │ │ │ │ │ └── fake.go
│ │ │ │ │ └── trustroot/
│ │ │ │ │ ├── fake/
│ │ │ │ │ │ └── fake.go
│ │ │ │ │ ├── filtered/
│ │ │ │ │ │ ├── fake/
│ │ │ │ │ │ │ └── fake.go
│ │ │ │ │ │ └── trustroot.go
│ │ │ │ │ └── trustroot.go
│ │ │ │ └── v1beta1/
│ │ │ │ └── clusterimagepolicy/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ ├── fake/
│ │ │ │ │ └── fake.go
│ │ │ │ └── filtered/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ └── fake/
│ │ │ │ └── fake.go
│ │ │ └── reconciler/
│ │ │ └── policy/
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy/
│ │ │ │ │ ├── controller.go
│ │ │ │ │ ├── reconciler.go
│ │ │ │ │ └── state.go
│ │ │ │ └── trustroot/
│ │ │ │ ├── controller.go
│ │ │ │ ├── reconciler.go
│ │ │ │ └── state.go
│ │ │ └── v1beta1/
│ │ │ └── clusterimagepolicy/
│ │ │ ├── controller.go
│ │ │ ├── reconciler.go
│ │ │ └── state.go
│ │ └── listers/
│ │ └── policy/
│ │ ├── v1alpha1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── expansion_generated.go
│ │ │ └── trustroot.go
│ │ └── v1beta1/
│ │ ├── clusterimagepolicy.go
│ │ └── expansion_generated.go
│ ├── config/
│ │ ├── store.go
│ │ ├── store_test.go
│ │ └── testdata/
│ │ ├── allow-all.yaml
│ │ ├── allow-empty-authorities.yaml
│ │ ├── deny-all-default.yaml
│ │ ├── deny-all-explicit.yaml
│ │ ├── enable-oci11-invalid.yaml
│ │ ├── enable-oci11.yaml
│ │ └── warn-all.yaml
│ ├── policy/
│ │ ├── README.md
│ │ ├── parse.go
│ │ ├── parse_test.go
│ │ ├── policy.go
│ │ ├── policy_test.go
│ │ ├── validate.go
│ │ ├── validate_test.go
│ │ ├── verifier.go
│ │ └── verifier_test.go
│ ├── reconciler/
│ │ ├── clusterimagepolicy/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── clusterimagepolicy_test.go
│ │ │ ├── controller.go
│ │ │ ├── controller_test.go
│ │ │ └── resources/
│ │ │ └── configmap.go
│ │ ├── testing/
│ │ │ └── v1alpha1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── factory.go
│ │ │ ├── listers.go
│ │ │ └── trustroot.go
│ │ └── trustroot/
│ │ ├── controller.go
│ │ ├── controller_test.go
│ │ ├── resources/
│ │ │ └── configmap.go
│ │ ├── testdata/
│ │ │ ├── ctfeLogID.txt
│ │ │ ├── ctfePublicKey.pem
│ │ │ ├── fulcioCert.pem
│ │ │ ├── fulcioCertChain.pem
│ │ │ ├── marshalledEntry.json
│ │ │ ├── marshalledEntryFromMirrorFS.json
│ │ │ ├── rekorLogID.txt
│ │ │ ├── rekorPublicKey.pem
│ │ │ ├── root.json
│ │ │ ├── rootWithCustomTrustedRootJSON.json
│ │ │ ├── rootWithTrustedRootJSON.json
│ │ │ ├── testdata.go
│ │ │ └── tsaCertChain.pem
│ │ ├── trustroot.go
│ │ └── trustroot_test.go
│ ├── tuf/
│ │ ├── context.go
│ │ ├── context_test.go
│ │ ├── repo.go
│ │ └── repo_test.go
│ └── webhook/
│ ├── cache.go
│ ├── clusterimagepolicy/
│ │ └── clusterimagepolicy_types.go
│ ├── nocache.go
│ ├── registryauth/
│ │ ├── azure/
│ │ │ └── acrhelper.go
│ │ └── registryauth.go
│ ├── testdata/
│ │ └── cert.pem
│ ├── validation.go
│ ├── validator.go
│ ├── validator_result.go
│ └── validator_test.go
├── release/
│ ├── README.md
│ ├── ko-sign-release-images.sh
│ ├── ldflags.sh
│ └── release.mk
├── test/
│ ├── cert_utils.go
│ ├── ci.mk
│ ├── cmd/
│ │ └── getoidctoken/
│ │ └── main.go
│ ├── config/
│ │ └── gettoken/
│ │ └── gettoken.yaml
│ ├── e2e_test_cluster_image_policy.sh
│ ├── e2e_test_cluster_image_policy_from_configmap_with_fetch_config_file.sh
│ ├── e2e_test_cluster_image_policy_from_url.sh
│ ├── e2e_test_cluster_image_policy_no_tuf.sh
│ ├── e2e_test_cluster_image_policy_with_attestations.sh
│ ├── e2e_test_cluster_image_policy_with_attestations_rego.sh
│ ├── e2e_test_cluster_image_policy_with_fetch_config_file.sh
│ ├── e2e_test_cluster_image_policy_with_include_objectmeta.sh
│ ├── e2e_test_cluster_image_policy_with_include_spec.sh
│ ├── e2e_test_cluster_image_policy_with_include_typemeta.sh
│ ├── e2e_test_cluster_image_policy_with_oci11_attestations.sh
│ ├── e2e_test_cluster_image_policy_with_source.sh
│ ├── e2e_test_cluster_image_policy_with_trustroot_bring_own_keys.sh
│ ├── e2e_test_cluster_image_policy_with_trustroot_remote.sh
│ ├── e2e_test_cluster_image_policy_with_trustroot_repository.sh
│ ├── e2e_test_cluster_image_policy_with_tsa.sh
│ ├── e2e_test_cluster_image_policy_with_warn.sh
│ ├── e2e_test_cluster_with_scalable.sh
│ ├── e2e_test_policy_controller.sh
│ ├── e2e_test_policy_crd.sh
│ ├── e2e_test_trustroot_crd.sh
│ ├── kustomize/
│ │ └── kustomization.yaml
│ ├── kustomize-no-tuf/
│ │ └── kustomization.yaml
│ └── testdata/
│ ├── attestations/
│ │ └── vuln-predicate.json
│ ├── bom-go-mod.spdx
│ ├── fancy_from.Dockerfile
│ ├── policies/
│ │ ├── cue-fails.cue
│ │ ├── cue-policy-config.cue
│ │ ├── cue-vuln-fails.cue
│ │ ├── cue-vuln-works.cue
│ │ └── cue-works.cue
│ ├── resources/
│ │ ├── job.yaml
│ │ └── pod.yaml
│ ├── signed_manifest.yaml
│ ├── single_stage.Dockerfile
│ ├── test.wasm
│ ├── test_blob_cert.pem
│ ├── test_blob_private_key
│ ├── test_blob_public_key
│ ├── trustroot/
│ │ ├── e2e/
│ │ │ ├── bring-your-own-keys.yaml
│ │ │ ├── with-remote.yaml
│ │ │ ├── with-repository.yaml
│ │ │ └── with-tsa.yaml
│ │ ├── golden/
│ │ │ ├── ctfe.pem
│ │ │ ├── fulcio.crt.pem
│ │ │ ├── rekor.pem
│ │ │ └── tsa.crt.pem
│ │ └── valid/
│ │ └── valid-sigstore-keys.yaml
│ ├── unsigned_build_stage.Dockerfile
│ ├── unsigned_manifest.yaml
│ ├── with_arg.Dockerfile
│ └── with_lowercase.Dockerfile
└── third_party/
└── VENDOR-LICENSE/
├── cloud.google.com/
│ └── go/
│ ├── auth/
│ │ ├── LICENSE
│ │ └── oauth2adapt/
│ │ └── LICENSE
│ ├── compute/
│ │ └── metadata/
│ │ └── LICENSE
│ ├── iam/
│ │ └── LICENSE
│ ├── kms/
│ │ └── LICENSE
│ └── longrunning/
│ └── LICENSE
├── contrib.go.opencensus.io/
│ └── exporter/
│ ├── ocagent/
│ │ └── LICENSE
│ └── prometheus/
│ └── LICENSE
├── cuelang.org/
│ └── go/
│ └── LICENSE
├── github.com/
│ ├── AliyunContainerService/
│ │ └── ack-ram-tool/
│ │ └── pkg/
│ │ └── credentials/
│ │ └── provider/
│ │ └── LICENSE
│ ├── Azure/
│ │ ├── azure-sdk-for-go/
│ │ │ ├── LICENSE.txt
│ │ │ ├── NOTICE.txt
│ │ │ └── sdk/
│ │ │ ├── azcore/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── azidentity/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── internal/
│ │ │ │ └── LICENSE.txt
│ │ │ └── security/
│ │ │ └── keyvault/
│ │ │ ├── azkeys/
│ │ │ │ └── LICENSE.txt
│ │ │ └── internal/
│ │ │ └── LICENSE.txt
│ │ └── go-autorest/
│ │ ├── autorest/
│ │ │ ├── LICENSE
│ │ │ ├── adal/
│ │ │ │ └── LICENSE
│ │ │ ├── azure/
│ │ │ │ ├── auth/
│ │ │ │ │ └── LICENSE
│ │ │ │ └── cli/
│ │ │ │ └── LICENSE
│ │ │ └── date/
│ │ │ └── LICENSE
│ │ ├── logger/
│ │ │ └── LICENSE
│ │ └── tracing/
│ │ └── LICENSE
│ ├── AzureAD/
│ │ └── microsoft-authentication-library-for-go/
│ │ └── apps/
│ │ └── LICENSE
│ ├── LICENSE
│ ├── agnivade/
│ │ └── levenshtein/
│ │ └── License.txt
│ ├── alibabacloud-go/
│ │ ├── alibabacloud-gateway-spi/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ ├── cr-20181201/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ ├── darabonba-openapi/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ ├── debug/
│ │ │ └── debug/
│ │ │ └── LICENSE
│ │ ├── endpoint-util/
│ │ │ └── service/
│ │ │ └── LICENSE
│ │ ├── openapi-util/
│ │ │ └── service/
│ │ │ └── LICENSE
│ │ ├── tea/
│ │ │ └── LICENSE
│ │ ├── tea-utils/
│ │ │ └── service/
│ │ │ └── LICENSE
│ │ └── tea-xml/
│ │ └── service/
│ │ └── LICENSE
│ ├── aliyun/
│ │ └── credentials-go/
│ │ └── credentials/
│ │ └── LICENSE
│ ├── asaskevich/
│ │ └── govalidator/
│ │ └── LICENSE
│ ├── aws/
│ │ ├── aws-sdk-go-v2/
│ │ │ ├── LICENSE.txt
│ │ │ ├── NOTICE.txt
│ │ │ ├── config/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── credentials/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── feature/
│ │ │ │ └── ec2/
│ │ │ │ └── imds/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── internal/
│ │ │ │ ├── configsources/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ ├── endpoints/
│ │ │ │ │ └── v2/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ ├── ini/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ └── sync/
│ │ │ │ └── singleflight/
│ │ │ │ └── LICENSE
│ │ │ └── service/
│ │ │ ├── ecr/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── ecrpublic/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── internal/
│ │ │ │ ├── accept-encoding/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ └── presigned-url/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── kms/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── signin/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── sso/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── ssooidc/
│ │ │ │ └── LICENSE.txt
│ │ │ └── sts/
│ │ │ └── LICENSE.txt
│ │ └── smithy-go/
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ └── internal/
│ │ └── sync/
│ │ └── singleflight/
│ │ └── LICENSE
│ ├── awslabs/
│ │ └── amazon-ecr-credential-helper/
│ │ └── ecr-login/
│ │ └── LICENSE
│ ├── beorn7/
│ │ └── perks/
│ │ └── quantile/
│ │ └── LICENSE
│ ├── blang/
│ │ └── semver/
│ │ ├── LICENSE
│ │ └── v4/
│ │ └── LICENSE
│ ├── blendle/
│ │ └── zapdriver/
│ │ └── LICENSE
│ ├── cenkalti/
│ │ └── backoff/
│ │ ├── v4/
│ │ │ └── LICENSE
│ │ └── v5/
│ │ └── LICENSE
│ ├── census-instrumentation/
│ │ └── opencensus-proto/
│ │ └── gen-go/
│ │ └── LICENSE
│ ├── cespare/
│ │ └── xxhash/
│ │ └── v2/
│ │ └── LICENSE.txt
│ ├── chrismellard/
│ │ └── docker-credential-acr-env/
│ │ └── pkg/
│ │ └── LICENSE
│ ├── clbanning/
│ │ └── mxj/
│ │ └── v2/
│ │ └── LICENSE
│ ├── cockroachdb/
│ │ └── apd/
│ │ └── v3/
│ │ └── LICENSE
│ ├── common-nighthawk/
│ │ └── go-figure/
│ │ └── LICENSE
│ ├── containerd/
│ │ ├── errdefs/
│ │ │ ├── LICENSE
│ │ │ └── pkg/
│ │ │ └── LICENSE
│ │ └── stargz-snapshotter/
│ │ └── estargz/
│ │ └── LICENSE
│ ├── coreos/
│ │ └── go-oidc/
│ │ └── v3/
│ │ └── oidc/
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── cyberphone/
│ │ └── json-canonicalization/
│ │ └── go/
│ │ └── src/
│ │ └── webpki.org/
│ │ └── jsoncanonicalizer/
│ │ └── LICENSE
│ ├── davecgh/
│ │ └── go-spew/
│ │ └── spew/
│ │ └── LICENSE
│ ├── digitorus/
│ │ ├── pkcs7/
│ │ │ └── LICENSE
│ │ └── timestamp/
│ │ └── LICENSE
│ ├── dimchansky/
│ │ └── utfbom/
│ │ └── LICENSE
│ ├── distribution/
│ │ └── reference/
│ │ └── LICENSE
│ ├── docker/
│ │ ├── cli/
│ │ │ └── cli/
│ │ │ └── config/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── distribution/
│ │ │ └── registry/
│ │ │ └── client/
│ │ │ └── auth/
│ │ │ └── challenge/
│ │ │ └── LICENSE
│ │ ├── docker/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── docker-credential-helpers/
│ │ │ └── LICENSE
│ │ ├── go-connections/
│ │ │ └── LICENSE
│ │ └── go-units/
│ │ └── LICENSE
│ ├── dustin/
│ │ └── go-humanize/
│ │ └── LICENSE
│ ├── emicklei/
│ │ ├── go-restful/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ └── proto/
│ │ └── LICENSE
│ ├── evanphx/
│ │ └── json-patch/
│ │ └── v5/
│ │ └── LICENSE
│ ├── felixge/
│ │ └── httpsnoop/
│ │ └── LICENSE.txt
│ ├── fsnotify/
│ │ └── fsnotify/
│ │ └── LICENSE
│ ├── fxamacker/
│ │ └── cbor/
│ │ └── v2/
│ │ └── LICENSE
│ ├── go-chi/
│ │ └── chi/
│ │ └── v5/
│ │ └── LICENSE
│ ├── go-ini/
│ │ └── ini/
│ │ └── LICENSE
│ ├── go-jose/
│ │ └── go-jose/
│ │ └── v4/
│ │ ├── LICENSE
│ │ └── json/
│ │ └── LICENSE
│ ├── go-kit/
│ │ └── log/
│ │ └── LICENSE
│ ├── go-logfmt/
│ │ └── logfmt/
│ │ └── LICENSE
│ ├── go-logr/
│ │ ├── logr/
│ │ │ └── LICENSE
│ │ └── stdr/
│ │ └── LICENSE
│ ├── go-openapi/
│ │ ├── analysis/
│ │ │ └── LICENSE
│ │ ├── errors/
│ │ │ └── LICENSE
│ │ ├── jsonpointer/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── jsonreference/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── loads/
│ │ │ └── LICENSE
│ │ ├── runtime/
│ │ │ ├── LICENSE
│ │ │ └── middleware/
│ │ │ └── denco/
│ │ │ └── LICENSE
│ │ ├── spec/
│ │ │ └── LICENSE
│ │ ├── strfmt/
│ │ │ └── LICENSE
│ │ ├── swag/
│ │ │ ├── LICENSE
│ │ │ ├── cmdutils/
│ │ │ │ └── LICENSE
│ │ │ ├── conv/
│ │ │ │ └── LICENSE
│ │ │ ├── fileutils/
│ │ │ │ └── LICENSE
│ │ │ ├── jsonname/
│ │ │ │ └── LICENSE
│ │ │ ├── jsonutils/
│ │ │ │ └── LICENSE
│ │ │ ├── loading/
│ │ │ │ └── LICENSE
│ │ │ ├── mangling/
│ │ │ │ └── LICENSE
│ │ │ ├── netutils/
│ │ │ │ └── LICENSE
│ │ │ ├── stringutils/
│ │ │ │ └── LICENSE
│ │ │ ├── typeutils/
│ │ │ │ └── LICENSE
│ │ │ └── yamlutils/
│ │ │ └── LICENSE
│ │ └── validate/
│ │ └── LICENSE
│ ├── go-viper/
│ │ └── mapstructure/
│ │ └── v2/
│ │ └── LICENSE
│ ├── gobuffalo/
│ │ └── flect/
│ │ └── LICENSE
│ ├── gobwas/
│ │ └── glob/
│ │ └── LICENSE
│ ├── gogo/
│ │ └── protobuf/
│ │ └── LICENSE
│ ├── golang/
│ │ ├── groupcache/
│ │ │ └── lru/
│ │ │ └── LICENSE
│ │ ├── protobuf/
│ │ │ └── ptypes/
│ │ │ └── timestamp/
│ │ │ └── LICENSE
│ │ └── snappy/
│ │ └── LICENSE
│ ├── golang-jwt/
│ │ └── jwt/
│ │ ├── v4/
│ │ │ └── LICENSE
│ │ └── v5/
│ │ └── LICENSE
│ ├── google/
│ │ ├── certificate-transparency-go/
│ │ │ └── LICENSE
│ │ ├── gnostic-models/
│ │ │ └── LICENSE
│ │ ├── go-cmp/
│ │ │ └── cmp/
│ │ │ └── LICENSE
│ │ ├── go-containerregistry/
│ │ │ ├── LICENSE
│ │ │ └── pkg/
│ │ │ └── authn/
│ │ │ ├── k8schain/
│ │ │ │ └── LICENSE
│ │ │ └── kubernetes/
│ │ │ └── LICENSE
│ │ ├── go-github/
│ │ │ └── v73/
│ │ │ └── github/
│ │ │ └── LICENSE
│ │ ├── go-querystring/
│ │ │ └── query/
│ │ │ └── LICENSE
│ │ ├── s2a-go/
│ │ │ └── LICENSE.md
│ │ └── uuid/
│ │ └── LICENSE
│ ├── googleapis/
│ │ ├── enterprise-certificate-proxy/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ └── gax-go/
│ │ └── v2/
│ │ └── LICENSE
│ ├── grpc-ecosystem/
│ │ └── grpc-gateway/
│ │ └── v2/
│ │ └── LICENSE
│ ├── hashicorp/
│ │ ├── errwrap/
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ └── errwrap.go
│ │ ├── go-cleanhttp/
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── cleanhttp.go
│ │ │ ├── doc.go
│ │ │ └── handlers.go
│ │ ├── go-multierror/
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── append.go
│ │ │ ├── flatten.go
│ │ │ ├── format.go
│ │ │ ├── group.go
│ │ │ ├── multierror.go
│ │ │ ├── prefix.go
│ │ │ └── sort.go
│ │ ├── go-retryablehttp/
│ │ │ ├── .gitignore
│ │ │ ├── .go-version
│ │ │ ├── .golangci.yml
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CODEOWNERS
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── cert_error_go119.go
│ │ │ ├── cert_error_go120.go
│ │ │ ├── client.go
│ │ │ └── roundtripper.go
│ │ ├── go-rootcerts/
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── doc.go
│ │ │ ├── rootcerts.go
│ │ │ ├── rootcerts_base.go
│ │ │ └── rootcerts_darwin.go
│ │ ├── go-secure-stdlib/
│ │ │ ├── parseutil/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── normalize.go
│ │ │ │ ├── parsepath.go
│ │ │ │ └── parseutil.go
│ │ │ └── strutil/
│ │ │ ├── LICENSE
│ │ │ └── strutil.go
│ │ ├── go-sockaddr/
│ │ │ ├── .gitignore
│ │ │ ├── GNUmakefile
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── doc.go
│ │ │ ├── ifaddr.go
│ │ │ ├── ifaddrs.go
│ │ │ ├── ifattr.go
│ │ │ ├── ipaddr.go
│ │ │ ├── ipaddrs.go
│ │ │ ├── ipv4addr.go
│ │ │ ├── ipv6addr.go
│ │ │ ├── rfc.go
│ │ │ ├── route_info.go
│ │ │ ├── route_info_aix.go
│ │ │ ├── route_info_android.go
│ │ │ ├── route_info_bsd.go
│ │ │ ├── route_info_default.go
│ │ │ ├── route_info_linux.go
│ │ │ ├── route_info_solaris.go
│ │ │ ├── route_info_test_windows.go
│ │ │ ├── route_info_windows.go
│ │ │ ├── sockaddr.go
│ │ │ ├── sockaddrs.go
│ │ │ └── unixsock.go
│ │ ├── golang-lru/
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yml
│ │ │ ├── 2q.go
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── arc.go
│ │ │ ├── doc.go
│ │ │ ├── lru.go
│ │ │ ├── simplelru/
│ │ │ │ ├── lru.go
│ │ │ │ └── lru_interface.go
│ │ │ └── testing.go
│ │ ├── hcl/
│ │ │ ├── .gitignore
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── appveyor.yml
│ │ │ ├── decoder.go
│ │ │ ├── hcl/
│ │ │ │ ├── ast/
│ │ │ │ │ ├── ast.go
│ │ │ │ │ └── walk.go
│ │ │ │ ├── parser/
│ │ │ │ │ ├── error.go
│ │ │ │ │ └── parser.go
│ │ │ │ ├── scanner/
│ │ │ │ │ └── scanner.go
│ │ │ │ ├── strconv/
│ │ │ │ │ └── quote.go
│ │ │ │ └── token/
│ │ │ │ ├── position.go
│ │ │ │ └── token.go
│ │ │ ├── hcl.go
│ │ │ ├── json/
│ │ │ │ ├── parser/
│ │ │ │ │ ├── flatten.go
│ │ │ │ │ └── parser.go
│ │ │ │ ├── scanner/
│ │ │ │ │ └── scanner.go
│ │ │ │ └── token/
│ │ │ │ ├── position.go
│ │ │ │ └── token.go
│ │ │ ├── lex.go
│ │ │ └── parse.go
│ │ └── vault/
│ │ └── api/
│ │ ├── .copywrite.hcl
│ │ ├── LICENSE
│ │ ├── README.md
│ │ ├── auth.go
│ │ ├── auth_token.go
│ │ ├── cliconfig/
│ │ │ ├── config.go
│ │ │ ├── hcl_dup_attr_deprecation.go
│ │ │ └── util.go
│ │ ├── client.go
│ │ ├── hcl_dup_attr_deprecation.go
│ │ ├── help.go
│ │ ├── kv.go
│ │ ├── kv_v1.go
│ │ ├── kv_v2.go
│ │ ├── lifetime_watcher.go
│ │ ├── logical.go
│ │ ├── logical_requests.go
│ │ ├── output_policy.go
│ │ ├── output_string.go
│ │ ├── plugin_helpers.go
│ │ ├── plugin_runtime_types.go
│ │ ├── plugin_types.go
│ │ ├── pluginruntimetype_enumer.go
│ │ ├── renewbehavior_enumer.go
│ │ ├── replication_status.go
│ │ ├── request.go
│ │ ├── response.go
│ │ ├── secret.go
│ │ ├── ssh.go
│ │ ├── ssh_agent.go
│ │ ├── sudo_paths.go
│ │ ├── sys.go
│ │ ├── sys_audit.go
│ │ ├── sys_auth.go
│ │ ├── sys_capabilities.go
│ │ ├── sys_config_cors.go
│ │ ├── sys_generate_root.go
│ │ ├── sys_hastatus.go
│ │ ├── sys_health.go
│ │ ├── sys_init.go
│ │ ├── sys_leader.go
│ │ ├── sys_leases.go
│ │ ├── sys_mfa.go
│ │ ├── sys_monitor.go
│ │ ├── sys_mounts.go
│ │ ├── sys_plugins.go
│ │ ├── sys_plugins_runtimes.go
│ │ ├── sys_policy.go
│ │ ├── sys_raft.go
│ │ ├── sys_rekey.go
│ │ ├── sys_rotate.go
│ │ ├── sys_seal.go
│ │ ├── sys_stepdown.go
│ │ ├── sys_ui_custom_message.go
│ │ ├── sys_utilization_report.go
│ │ └── tokenhelper/
│ │ ├── helper.go
│ │ ├── helper_external.go
│ │ ├── helper_internal.go
│ │ └── testing.go
│ ├── in-toto/
│ │ ├── attestation/
│ │ │ └── go/
│ │ │ └── v1/
│ │ │ └── LICENSE
│ │ └── in-toto-golang/
│ │ └── in_toto/
│ │ └── LICENSE
│ ├── jedisct1/
│ │ └── go-minisign/
│ │ └── LICENSE
│ ├── jellydator/
│ │ └── ttlcache/
│ │ └── v3/
│ │ └── LICENSE
│ ├── json-iterator/
│ │ └── go/
│ │ └── LICENSE
│ ├── kelseyhightower/
│ │ └── envconfig/
│ │ └── LICENSE
│ ├── klauspost/
│ │ └── compress/
│ │ ├── LICENSE
│ │ ├── internal/
│ │ │ └── snapref/
│ │ │ └── LICENSE
│ │ └── zstd/
│ │ └── internal/
│ │ └── xxhash/
│ │ └── LICENSE.txt
│ ├── kylelemons/
│ │ └── godebug/
│ │ └── LICENSE
│ ├── lestrrat-go/
│ │ ├── blackmagic/
│ │ │ └── LICENSE
│ │ ├── dsig/
│ │ │ └── LICENSE
│ │ ├── httpcc/
│ │ │ └── LICENSE
│ │ ├── httprc/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ ├── jwx/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ └── option/
│ │ ├── LICENSE
│ │ └── v2/
│ │ └── LICENSE
│ ├── letsencrypt/
│ │ └── boulder/
│ │ ├── LICENSE.txt
│ │ ├── core/
│ │ │ ├── challenges.go
│ │ │ ├── interfaces.go
│ │ │ ├── objects.go
│ │ │ ├── proto/
│ │ │ │ ├── core.pb.go
│ │ │ │ └── core.proto
│ │ │ └── util.go
│ │ ├── goodkey/
│ │ │ └── good_key.go
│ │ ├── identifier/
│ │ │ └── identifier.go
│ │ ├── probs/
│ │ │ └── probs.go
│ │ └── revocation/
│ │ └── reasons.go
│ ├── mitchellh/
│ │ ├── go-homedir/
│ │ │ └── LICENSE
│ │ ├── go-wordwrap/
│ │ │ └── LICENSE.md
│ │ └── mapstructure/
│ │ └── LICENSE
│ ├── moby/
│ │ ├── docker-image-spec/
│ │ │ └── specs-go/
│ │ │ └── v1/
│ │ │ └── LICENSE
│ │ └── term/
│ │ └── LICENSE
│ ├── modern-go/
│ │ ├── concurrent/
│ │ │ └── LICENSE
│ │ └── reflect2/
│ │ └── LICENSE
│ ├── mozillazg/
│ │ └── docker-credential-acr-helper/
│ │ └── pkg/
│ │ └── LICENSE
│ ├── munnerz/
│ │ └── goautoneg/
│ │ └── LICENSE
│ ├── natefinch/
│ │ └── atomic/
│ │ └── LICENSE
│ ├── nozzle/
│ │ └── throttler/
│ │ └── LICENSE
│ ├── oklog/
│ │ └── ulid/
│ │ └── LICENSE
│ ├── open-policy-agent/
│ │ └── opa/
│ │ ├── LICENSE
│ │ └── internal/
│ │ ├── edittree/
│ │ │ └── bitvector/
│ │ │ └── license.txt
│ │ ├── gojsonschema/
│ │ │ └── LICENSE-APACHE-2.0.txt
│ │ └── semver/
│ │ └── LICENSE
│ ├── opencontainers/
│ │ ├── go-digest/
│ │ │ └── LICENSE
│ │ └── image-spec/
│ │ └── specs-go/
│ │ └── LICENSE
│ ├── pelletier/
│ │ └── go-toml/
│ │ └── v2/
│ │ └── LICENSE
│ ├── pkg/
│ │ ├── browser/
│ │ │ └── LICENSE
│ │ └── errors/
│ │ └── LICENSE
│ ├── pmezard/
│ │ └── go-difflib/
│ │ └── difflib/
│ │ └── LICENSE
│ ├── prometheus/
│ │ ├── client_golang/
│ │ │ ├── internal/
│ │ │ │ └── github.com/
│ │ │ │ └── golang/
│ │ │ │ └── gddo/
│ │ │ │ └── httputil/
│ │ │ │ └── LICENSE
│ │ │ └── prometheus/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── client_model/
│ │ │ └── go/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── common/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── procfs/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ └── statsd_exporter/
│ │ └── pkg/
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── protocolbuffers/
│ │ └── txtpbfmt/
│ │ └── LICENSE
│ ├── rcrowley/
│ │ └── go-metrics/
│ │ └── LICENSE
│ ├── ryanuber/
│ │ └── go-glob/
│ │ └── LICENSE
│ ├── sagikazarmark/
│ │ └── locafero/
│ │ └── LICENSE
│ ├── sassoftware/
│ │ └── relic/
│ │ └── lib/
│ │ └── LICENSE
│ ├── secure-systems-lab/
│ │ └── go-securesystemslib/
│ │ └── LICENSE
│ ├── shibumi/
│ │ └── go-pathspec/
│ │ └── LICENSE
│ ├── sigstore/
│ │ ├── cosign/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ ├── protobuf-specs/
│ │ │ └── gen/
│ │ │ └── pb-go/
│ │ │ └── LICENSE
│ │ ├── rekor/
│ │ │ └── pkg/
│ │ │ └── LICENSE
│ │ ├── rekor-tiles/
│ │ │ └── v2/
│ │ │ └── LICENSE
│ │ ├── scaffolding/
│ │ │ └── pkg/
│ │ │ └── repo/
│ │ │ └── LICENSE
│ │ ├── sigstore/
│ │ │ └── pkg/
│ │ │ ├── LICENSE
│ │ │ └── signature/
│ │ │ └── kms/
│ │ │ ├── aws/
│ │ │ │ └── LICENSE
│ │ │ ├── azure/
│ │ │ │ └── LICENSE
│ │ │ ├── gcp/
│ │ │ │ └── LICENSE
│ │ │ └── hashivault/
│ │ │ └── LICENSE
│ │ ├── sigstore-go/
│ │ │ └── pkg/
│ │ │ └── LICENSE
│ │ └── timestamp-authority/
│ │ └── v2/
│ │ └── pkg/
│ │ └── verification/
│ │ └── LICENSE
│ ├── sirupsen/
│ │ └── logrus/
│ │ └── LICENSE
│ ├── sourcegraph/
│ │ └── conc/
│ │ └── LICENSE
│ ├── spf13/
│ │ ├── afero/
│ │ │ └── LICENSE.txt
│ │ ├── cast/
│ │ │ └── LICENSE
│ │ ├── cobra/
│ │ │ └── LICENSE.txt
│ │ ├── pflag/
│ │ │ └── LICENSE
│ │ └── viper/
│ │ └── LICENSE
│ ├── subosito/
│ │ └── gotenv/
│ │ └── LICENSE
│ ├── syndtr/
│ │ └── goleveldb/
│ │ └── leveldb/
│ │ └── LICENSE
│ ├── tchap/
│ │ └── go-patricia/
│ │ └── v2/
│ │ └── patricia/
│ │ └── LICENSE
│ ├── theupdateframework/
│ │ └── go-tuf/
│ │ ├── LICENSE
│ │ └── v2/
│ │ └── metadata/
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── titanous/
│ │ └── rocacheck/
│ │ └── LICENSE
│ ├── tjfoc/
│ │ └── gmsm/
│ │ └── sm3/
│ │ └── LICENSE
│ ├── transparency-dev/
│ │ ├── formats/
│ │ │ └── log/
│ │ │ └── LICENSE
│ │ └── merkle/
│ │ └── LICENSE
│ ├── valyala/
│ │ └── fastjson/
│ │ └── LICENSE
│ ├── vbatts/
│ │ └── tar-split/
│ │ └── archive/
│ │ └── tar/
│ │ └── LICENSE
│ ├── vektah/
│ │ └── gqlparser/
│ │ └── v2/
│ │ └── LICENSE
│ ├── x448/
│ │ └── float16/
│ │ └── LICENSE
│ ├── xeipuuv/
│ │ ├── gojsonpointer/
│ │ │ └── LICENSE-APACHE-2.0.txt
│ │ └── gojsonreference/
│ │ └── LICENSE-APACHE-2.0.txt
│ └── yashtewari/
│ └── glob-intersection/
│ └── LICENSE
├── gitlab.com/
│ └── gitlab-org/
│ └── api/
│ └── client-go/
│ └── LICENSE
├── go.mongodb.org/
│ └── mongo-driver/
│ └── LICENSE
├── go.opencensus.io/
│ └── LICENSE
├── go.opentelemetry.io/
│ ├── auto/
│ │ └── sdk/
│ │ └── LICENSE
│ ├── contrib/
│ │ └── instrumentation/
│ │ ├── google.golang.org/
│ │ │ └── grpc/
│ │ │ └── otelgrpc/
│ │ │ └── LICENSE
│ │ └── net/
│ │ └── http/
│ │ └── otelhttp/
│ │ └── LICENSE
│ └── otel/
│ ├── LICENSE
│ ├── metric/
│ │ └── LICENSE
│ ├── sdk/
│ │ └── LICENSE
│ └── trace/
│ └── LICENSE
├── go.uber.org/
│ ├── atomic/
│ │ └── LICENSE.txt
│ ├── automaxprocs/
│ │ └── LICENSE
│ ├── multierr/
│ │ └── LICENSE.txt
│ └── zap/
│ └── LICENSE
├── go.yaml.in/
│ └── yaml/
│ ├── v2/
│ │ ├── LICENSE
│ │ └── NOTICE
│ └── v3/
│ ├── LICENSE
│ └── NOTICE
├── golang.org/
│ └── x/
│ ├── crypto/
│ │ └── LICENSE
│ ├── mod/
│ │ └── LICENSE
│ ├── net/
│ │ └── LICENSE
│ ├── oauth2/
│ │ └── LICENSE
│ ├── sync/
│ │ └── LICENSE
│ ├── sys/
│ │ └── LICENSE
│ ├── term/
│ │ └── LICENSE
│ ├── text/
│ │ └── LICENSE
│ └── time/
│ └── rate/
│ └── LICENSE
├── gomodules.xyz/
│ └── jsonpatch/
│ └── v2/
│ └── LICENSE
├── google.golang.org/
│ ├── api/
│ │ ├── LICENSE
│ │ └── internal/
│ │ └── third_party/
│ │ └── uritemplates/
│ │ └── LICENSE
│ ├── genproto/
│ │ └── googleapis/
│ │ ├── LICENSE
│ │ ├── api/
│ │ │ └── LICENSE
│ │ └── rpc/
│ │ └── LICENSE
│ ├── grpc/
│ │ ├── LICENSE
│ │ └── NOTICE.txt
│ └── protobuf/
│ └── LICENSE
├── gopkg.in/
│ ├── evanphx/
│ │ └── json-patch.v4/
│ │ └── LICENSE
│ ├── inf.v0/
│ │ └── LICENSE
│ ├── ini.v1/
│ │ └── LICENSE
│ ├── yaml.v2/
│ │ ├── LICENSE
│ │ └── NOTICE
│ └── yaml.v3/
│ ├── LICENSE
│ └── NOTICE
├── k8s.io/
│ ├── api/
│ │ └── LICENSE
│ ├── apiextensions-apiserver/
│ │ └── pkg/
│ │ └── LICENSE
│ ├── apimachinery/
│ │ ├── pkg/
│ │ │ └── LICENSE
│ │ └── third_party/
│ │ └── forked/
│ │ └── golang/
│ │ └── LICENSE
│ ├── client-go/
│ │ └── LICENSE
│ ├── klog/
│ │ └── v2/
│ │ └── LICENSE
│ ├── kube-openapi/
│ │ └── pkg/
│ │ ├── LICENSE
│ │ ├── internal/
│ │ │ └── third_party/
│ │ │ └── go-json-experiment/
│ │ │ └── json/
│ │ │ └── LICENSE
│ │ └── validation/
│ │ └── spec/
│ │ └── LICENSE
│ └── utils/
│ ├── LICENSE
│ └── internal/
│ └── third_party/
│ └── forked/
│ └── golang/
│ └── LICENSE
├── knative.dev/
│ ├── hack/
│ │ └── schema/
│ │ └── LICENSE
│ └── pkg/
│ └── LICENSE
└── sigs.k8s.io/
├── json/
│ └── LICENSE
├── randfill/
│ ├── LICENSE
│ └── NOTICE
├── release-utils/
│ └── version/
│ └── LICENSE
├── structured-merge-diff/
│ └── v6/
│ └── LICENSE
└── yaml/
└── LICENSE
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitattributes
================================================
# This file is documented at https://git-scm.com/docs/gitattributes.
# Linguist-specific attributes are documented at
# https://github.com/github/linguist.
doc/cosign*.md linguist-generated=true
================================================
FILE: .github/dependabot.yml
================================================
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: 2
updates:
- package-ecosystem: gomod
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
groups:
sigstore:
patterns:
- "github.com/sigstore/**"
minor-patch:
update-types: ["minor", "patch"]
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: weekly
open-pull-requests-limit: 10
groups:
minor-patch:
update-types: ["minor", "patch"]
================================================
FILE: .github/workflows/build.yaml
================================================
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: CI-Container-Build
on:
push:
branches:
- main
- release-*
permissions: {}
jobs:
build:
name: build
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
packages: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
# will use the latest release available for ko
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: chainguard-dev/actions/goimports@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
- name: Set up Cloud SDK
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'
- name: creds
run: gcloud auth configure-docker --quiet
- name: policy-controller
run: COSIGN_YES="true" KO_PREFIX=ghcr.io/sigstore/policy-controller/policy-controller/ci make build-sign-containers
================================================
FILE: .github/workflows/codeql-analysis.yml
================================================
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: CodeQL
on:
push:
branches: [ main ]
schedule:
- cron: '45 10 * * 1'
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: true
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
strategy:
fail-fast: false
matrix:
language: [ 'go' ]
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Utilize Go Module Cache
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
path: |
~/go/pkg/mod
~/.cache/go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Set correct version of Golang to use during CodeQL run
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5
with:
languages: ${{ matrix.language }}
- name: Build policy controller for CodeQL
run: |
make policy-controller
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5
================================================
FILE: .github/workflows/depsreview.yml
================================================
#
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
name: dependency-review
uses: sigstore/community/.github/workflows/reusable-dependency-review.yml@a38887851a12d604b8441ed09e6ebf6b9fe17cbc # main branch 30/Jun/2025
================================================
FILE: .github/workflows/donotsubmit.yaml
================================================
name: Do Not Submit
on:
pull_request:
branches: [ 'main', 'release-*' ]
permissions: read-all
jobs:
donotsubmit:
name: Do Not Submit
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Do Not Submit
uses: chainguard-dev/actions/donotsubmit@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/kind-cluster-image-policy-no-tuf.yaml
================================================
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Test policy-controller with ClusterImagePolicy TUF disabled
on:
pull_request:
branches: [ 'main', 'release-*' ]
defaults:
run:
shell: bash
permissions: read-all
jobs:
cip-test-no-tuf:
name: ClusterImagePolicy e2e tests TUF disabled
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.31.x
- v1.32.x
- v1.33.x
- v1.34.x
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.7.27"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
steps:
- name: free up disk space for the release
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
# will use the latest release available for ko
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
- name: Install yq
uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
mirror: mirror.gcr.io
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
with:
k8s-version: ${{ matrix.k8s-version}}
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
POLICY_CONTROLLER_ARCHS: linux/amd64
run: |
make ko-policy-controller
kustomize build test/kustomize-no-tuf | kubectl apply -f -
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
- name: Run Cluster Image Policy Tests that only tests keys, no keyless
timeout-minutes: 15
run: |
./test/e2e_test_cluster_image_policy_no_tuf.sh
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/kind-cluster-image-policy-trustroot.yaml
================================================
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Test policy-controller with TrustRoot - Bring your own keys
on:
pull_request:
branches: [ 'main', 'release-*' ]
defaults:
run:
shell: bash
permissions: read-all
jobs:
cip-test-trustroot-bring-your-own-keys:
name: ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.31.x
- v1.32.x
- v1.33.x
- v1.34.x
script:
- repository
- remote
- bring_own_keys
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.7.27"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
steps:
- name: free up disk space for the release
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
# will use the latest release available for ko
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
- name: Install yq
uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
mirror: mirror.gcr.io
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
with:
k8s-version: ${{ matrix.k8s-version}}
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
# Install policy-controller that does not have TUF embedded or installed.
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
POLICY_CONTROLLER_ARCHS: linux/amd64
run: |
make ko-policy-controller
kustomize build test/kustomize-no-tuf | kubectl apply -f -
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
echo "TUF_ROOT_FILE=./root.json" >> $GITHUB_ENV
- name: Run Trustroot Tests that tests with different TUF configurations
timeout-minutes: 5
run: |
./test/e2e_test_cluster_image_policy_with_trustroot_${{ matrix.script }}.sh
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/kind-cluster-image-policy-tsa.yaml
================================================
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Test policy-controller with TSA
on:
pull_request:
branches: [ 'main', 'release-*' ]
defaults:
run:
shell: bash
permissions: read-all
jobs:
cip-test-trustroot-bring-your-own-keys:
name: ClusterImagePolicy e2e tests with TrustRoot - Bring Your Own Keys
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.31.x
- v1.32.x
- v1.33.x
- v1.34.x
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.7.27"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
steps:
- name: free up disk space for the release
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
# will use the latest release available for ko
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
- name: Install yq
uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
mirror: mirror.gcr.io
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v2
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
env:
INSTALL_TSA: true
with:
k8s-version: ${{ matrix.k8s-version}}
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
# Install policy-controller that does not have TUF embedded or installed.
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
POLICY_CONTROLLER_YAML: test/kustomize-no-tuf/policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
POLICY_CONTROLLER_ARCHS: linux/amd64
run: |
make ko-policy-controller
kustomize build test/kustomize-no-tuf | kubectl apply -f -
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
echo "TUF_ROOT_FILE=./root.json" >> $GITHUB_ENV
- name: Checkout TSA for testing.
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v3.0.2
with:
repository: sigstore/timestamp-authority
path: ./src/github.com/sigstore/timestamp-authority
- name: Build timestamp-cli
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
go build -o ./timestamp-cli ./cmd/timestamp-cli
- name: Exercise our local TSA
working-directory: ./src/github.com/sigstore/timestamp-authority
run: |
TSA_URL=$(kubectl -n tsa-system get ksvc tsa -ojsonpath='{.status.url}')
echo "TSA_URL=$TSA_URL" >> $GITHUB_ENV
curl $TSA_URL/api/v1/timestamp/certchain > ts_chain.pem
echo "myblob" > myblob
if ! ./timestamp-cli --timestamp_server $TSA_URL timestamp --hash sha256 --artifact myblob --out response.tsr ; then
echo "failed to timestamp artifact"
exit -1
fi
if ! ./timestamp-cli verify --timestamp response.tsr --artifact "myblob" --certificate-chain ts_chain.pem ; then
echo "failed to verify timestamp"
exit -1
fi
if ! ./timestamp-cli inspect --timestamp response.tsr --format json ; then
echo "failed to inspect the timestamp"
exit -1
fi
- name: Run TSA Tests
timeout-minutes: 5
run: |
./test/e2e_test_cluster_image_policy_with_tsa.sh
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/kind-cluster-image-policy.yaml
================================================
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Test policy-controller with ClusterImagePolicy
on:
pull_request:
branches: [ 'main', 'release-*' ]
defaults:
run:
shell: bash
permissions: read-all
jobs:
cip-test:
name: ClusterImagePolicy e2e tests
runs-on: ubuntu-latest
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.31.x
- v1.32.x
- v1.33.x
- v1.34.x
script:
- cluster_image_policy
- cluster_image_policy_with_attestations
- cluster_image_policy_with_oci11_attestations
- cluster_with_scalable
- cluster_image_policy_with_warn
- cluster_image_policy_with_source
- cluster_image_policy_with_fetch_config_file
- cluster_image_policy_with_include_spec
- cluster_image_policy_with_include_objectmeta
- cluster_image_policy_with_attestations_rego
- cluster_image_policy_with_include_typemeta
- cluster_image_policy_from_configmap_with_fetch_config_file
- cluster_image_policy_from_url
env:
KO_DOCKER_REPO: "registry.local:5000/policy-controller"
SCAFFOLDING_RELEASE_VERSION: "v0.7.27"
GO111MODULE: on
GOFLAGS: -ldflags=-s -ldflags=-w
KOCACHE: ~/ko
steps:
- name: free up disk space for the release
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
# will use the latest release available for ko
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
- name: Install yq
uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
mirror: mirror.gcr.io
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
- name: Install cluster + sigstore
uses: sigstore/scaffolding/actions/setup@main
with:
k8s-version: ${{ matrix.k8s-version}}
version: ${{ env.SCAFFOLDING_RELEASE_VERSION }}
- name: Copy TUF root to policy-controller namespace
run: |
kubectl create ns cosign-system
kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: cosign-system/' | kubectl create -f -
echo "TUF_ROOT_FILE=./root.json" >> $GITHUB_ENV
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
POLICY_CONTROLLER_YAML: test/kustomize/policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
POLICY_CONTROLLER_ARCHS: linux/amd64
run: |
make ko-policy-controller
kustomize build test/kustomize | kubectl apply -f -
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
# And make sure everything is up.
kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all
sleep 10
- name: Run Cluster Image Policy Tests
timeout-minutes: 15
run: |
./test/e2e_test_${{ matrix.script }}.sh
- name: Make sure validatingwebookconfiguration contains no status subresources
run: |
if kubectl get validatingwebhookconfigurations -oyaml policy.sigstore.dev | grep -q status; then
echo Found status resources in the webhook configuration
exit 1
fi
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/kind-e2e-cosigned.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Policy Controller KinD E2E
on:
pull_request:
branches:
- 'main'
permissions: {}
jobs:
e2e-tests:
name: e2e tests
runs-on: ubuntu-latest
permissions:
contents: read # For checking out the code.
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.31.x
- v1.32.x
- v1.33.x
- v1.34.x
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames.
REGISTRY_NAME: registry.local
REGISTRY_PORT: 5000
INSECURE_REGISTRY_NAME: insecure-registry.notlocal
INSECURE_REGISTRY_PORT: 5001
KO_DOCKER_REPO: registry.local:5000/policy-controller
steps:
- name: free up disk space for the release
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
mirror: mirror.gcr.io
- name: Setup kind cluster
uses: chainguard-dev/actions/setup-kind@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
k8s-version: ${{ matrix.k8s-version }}
cluster-suffix: c${{ github.run_id }}.local
- name: Setup local insecure registry
run: |
# Create a self-signed SSL cert
mkdir -p insecure-certs
openssl req \
-subj "/C=US/ST=WA/L=Flavorton/O=Tests-R-Us/OU=Dept. of Insecurity/CN=example.com/emailAddress=testing@example.com" \
-newkey rsa:4096 -nodes -sha256 -keyout insecure-certs/domain.key \
-x509 -days 365 -out insecure-certs/domain.crt
# Run a registry.
docker run -d --restart=always \
--name $INSECURE_REGISTRY_NAME \
-v "$(pwd)"/insecure-certs:/insecure-certs \
-e REGISTRY_HTTP_ADDR=0.0.0.0:$INSECURE_REGISTRY_PORT \
-e REGISTRY_HTTP_TLS_CERTIFICATE=/insecure-certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=/insecure-certs/domain.key \
-p $INSECURE_REGISTRY_PORT:$INSECURE_REGISTRY_PORT \
registry:2
# Connect the registry to the KinD network.
docker network connect "kind" $INSECURE_REGISTRY_NAME
# Make the $INSECURE_REGISTRY_NAME -> 127.0.0.1, to tell `ko` to publish to
# local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
POLICY_CONTROLLER_YAML: policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
POLICY_CONTROLLER_ARCHS: linux/amd64
run: |
make ko-policy-controller
kubectl apply -f policy-controller-e2e.yaml
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all
- name: Run Image Policy Tests
run: |
./test/e2e_test_policy_crd.sh
- name: Run Policy Controller Tests
run: |
./test/e2e_test_policy_controller.sh
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/kind-e2e-trustroot-crd.yaml
================================================
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: TrustRoot CRD KinD E2E
on:
pull_request:
branches:
- 'main'
permissions: {}
jobs:
e2e-crd-tests:
name: e2e CRD tests
runs-on: ubuntu-latest
permissions:
contents: read # For checking out the code.
strategy:
fail-fast: false # Keep running if one leg fails.
matrix:
k8s-version:
- v1.31.x
- v1.32.x
- v1.33.x
- v1.34.x
env:
# https://github.com/google/go-containerregistry/pull/125 allows insecure registry for
# '*.local' hostnames.
REGISTRY_NAME: registry.local
REGISTRY_PORT: 5000
INSECURE_REGISTRY_NAME: insecure-registry.notlocal
INSECURE_REGISTRY_PORT: 5001
KO_DOCKER_REPO: registry.local:5000/policy-controller
steps:
- name: free up disk space for the release
run: |
rm -rf /usr/share/dotnet/
rm -rf "$AGENT_TOOLSDIRECTORY"
rm -rf "/usr/local/share/boost"
rm -rf /opt/ghc
docker rmi $(docker image ls -aq) || true
swapoff /swapfile || true
rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
apt-get remove -y 'php.*' || true
apt-get autoremove -y >/dev/null 2>&1 || true
apt-get autoclean -y >/dev/null 2>&1 || true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- uses: imranismail/setup-kustomize@53f941b41dca13ed61874bbc6b4b6e1562877530 # v3.0.0
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
- name: Setup mirror
uses: chainguard-dev/actions/setup-mirror@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
mirror: mirror.gcr.io
- name: Setup kind cluster
uses: chainguard-dev/actions/setup-kind@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
k8s-version: ${{ matrix.k8s-version }}
cluster-suffix: c${{ github.run_id }}.local
- name: Install policy-controller
env:
GIT_HASH: ${{ github.sha }}
GIT_VERSION: ci
LDFLAGS: ""
POLICY_CONTROLLER_YAML: policy-controller-e2e.yaml
KO_PREFIX: registry.local:5000/policy-controller
POLICY_CONTROLLER_ARCHS: linux/amd64
run: |
make ko-policy-controller
kubectl apply -f policy-controller-e2e.yaml
# Wait for the webhook to come up and become Ready
kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
kubectl wait deployment -n cosign-system --for condition=Available=True --timeout=90s --all
- name: Run TrustRoot CRD e2e tests
run: |
./test/e2e_test_trustroot_crd.sh
- name: Collect diagnostics
if: ${{ failure() }}
uses: chainguard-dev/actions/kind-diag@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/lint.yaml
================================================
name: golangci-lint
on:
push:
branches:
- main
pull_request:
permissions: {}
jobs:
golangci:
name: lint
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
- name: golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
with:
version: v2.6
================================================
FILE: .github/workflows/milestone.yaml
================================================
name: Milestone
on:
pull_request_target:
types: [closed]
branches:
- main
jobs:
milestone:
runs-on: ubuntu-latest
permissions:
actions: none
checks: none
contents: read
deployments: none
issues: write
packages: none
pull-requests: write
repository-projects: none
security-events: none
statuses: none
steps:
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
if (!context.payload.pull_request.merged) {
console.log('PR was not merged, skipping.');
return;
}
if (!!context.payload.pull_request.milestone) {
console.log('PR has existing milestone, skipping.');
return;
}
milestones = await github.rest.issues.listMilestones({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
sort: 'due_on',
direction: 'asc'
})
if (milestones.data.length === 0) {
console.log('There are no milestones, skipping.');
return;
}
await github.rest.issues.update({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
milestone: milestones.data[0].number
});
================================================
FILE: .github/workflows/policy-tester-examples.yml
================================================
#
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Verify examples using policy-tester
on:
workflow_dispatch:
push:
branches: ['main', 'release-*']
pull_request:
jobs:
verify:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
GOPATH: ${{ github.workspace }}
COSIGN_YES: "true"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
- name: Build the policy-tester CLI
working-directory: ./src/github.com/${{ github.repository }}
run: |
make policy-tester
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
- name: Setup local registry
run: |
docker run -d --restart=always \
--name registry.local \
-e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
-p 5000:5000 \
registry:2
- name: Example (custom-key-attestation-sbom-spdxjson)
working-directory: ./src/github.com/${{ github.repository }}/examples
run: |
REF="localhost:5000/examples/custom-key-attestation-sbom-spdxjson"
# Push an image
docker pull alpine
docker tag alpine "${REF}"
docker push "${REF}"
# Attach attestation to image
cosign attest --yes --type spdxjson \
--predicate sboms/example.spdx.json \
--key keys/cosign.key \
"${REF}"
# Verify the attestation
cosign verify-attestation \
--type spdxjson \
--key keys/cosign.pub \
"${REF}"
# Ensure the image satisfies the policy
../policy-tester \
--policy policies/custom-key-attestation-sbom-spdxjson.yaml \
--image "${REF}"
# Make sure we can't run Jobs, exercise metadata CIP matching.
- name: Example (verify CIP level typemeta policy failure)
working-directory: ./src/github.com/${{ github.repository }}
run: |
REF="ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d"
# Ensure the image does not satisfy the policy
if ./policy-tester \
--policy examples/policies/allow-only-pods.yaml \
--image "${REF}" \
--resource test/testdata/resources/job.yaml ; then
echo Failed to block Job from running
exit 1
fi
# Make sure we can't run Pods, exercise metadata CIP matching.
- name: Example (verify CIP level typemeta policy success)
working-directory: ./src/github.com/${{ github.repository }}
run: |
REF="ghcr.io/sigstore/timestamp-server@sha256:dcf2f3a640bfb0a5d17aabafb34b407fe4403363c715718ab305a62b3606540d"
# Ensure the image satisfies the policy
./policy-tester \
--policy examples/policies/allow-only-pods.yaml \
--image "${REF}" \
--resource test/testdata/resources/pod.yaml
# This example requires public Fulcio, only run on push to main
- if: ${{ github.event_name == 'push' }}
name: Example (keyless-attestation-sbom-spdxjson)
working-directory: ./src/github.com/${{ github.repository }}/examples
run: |
REF="localhost:5000/examples/keyless-attestation-sbom-spdxjson"
# Push an image
docker pull alpine
docker tag alpine "${REF}"
docker push "${REF}"
# Attach attestation to image
cosign attest --yes --type spdxjson \
--predicate sboms/example.spdx.json \
"${REF}"
# Ensure the image satisfies the policy
../policy-tester \
--policy policies/keyless-attestation-sbom-spdxjson.yaml \
--image "${REF}"
# This example requires public Fulcio, only run on push to main
- if: ${{ github.event_name == 'push' }}
name: Example (signed-by-github-actions)
working-directory: ./src/github.com/${{ github.repository }}/examples
run: |
REF="localhost:5000/examples/signed-by-github-actions"
# Push an image
docker pull alpine
docker tag alpine "${REF}"
docker push "${REF}"
# Sign image
cosign sign "${REF}"
# Ensure the image satisfies the policy
../policy-tester \
--policy policies/signed-by-github-actions.yaml \
--image "${REF}"
================================================
FILE: .github/workflows/release-snapshot.yaml
================================================
name: snapshot
on:
pull_request:
permissions:
contents: read
jobs:
snapshot:
runs-on: ubuntu-latest
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- name: Set LDFLAGS
id: ldflags
run: |
source ./release/ldflags.sh
goflags=$(ldflags)
echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
version: latest
args: release --snapshot --clean --timeout 120m --skip=sign
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LDFLAGS: ${{ env.GO_FLAGS }}
================================================
FILE: .github/workflows/release.yaml
================================================
name: Cut Release
on:
push:
tags:
- "v*"
concurrency: cut-release
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for pushing the images to ghcr.io
jobs:
release:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
tag_name: ${{ steps.tag.outputs.tag_name }}
runs-on: ubuntu-latest
steps:
- uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- name: Set up Cloud SDK
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
with:
workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
service_account: 'gha-policy-controller@projectsigstore.iam.gserviceaccount.com'
- name: 'Set up Cloud SDK'
uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
- name: creds
run: gcloud auth configure-docker --quiet
- name: Set LDFLAGS
id: ldflags
run: |
source ./release/ldflags.sh
goflags=$(ldflags)
echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
version: latest
args: release --clean --timeout 120m --parallelism 1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LDFLAGS: ${{ env.GO_FLAGS }}
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: build images
run: |
make build-sign-release-images
env:
LDFLAGS: ${{ env.GO_FLAGS }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: copy-signed-release-to-ghcr
run: make copy-signed-release-to-ghcr || true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
provenance:
needs: [release]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects: "${{ needs.release.outputs.hashes }}"
upload-assets: true # upload to a new release
upload-tag-name: "${{ needs.release.outputs.tag_name }}"
================================================
FILE: .github/workflows/scorecard_action.yml
================================================
name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: '30 1 * * 6'
push:
branches: [ main ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# Read-only PAT token. To create it,
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Publish the results for public repositories to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`, regardless
# of the value entered here.
publish_results: true
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5
with:
sarif_file: results.sarif
================================================
FILE: .github/workflows/style.yaml
================================================
name: Code Style
on:
pull_request:
branches: [ 'main', 'release-*' ]
permissions: read-all
jobs:
gofmt:
name: check gofmt
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: chainguard-dev/actions/gofmt@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
args: -s
goimports:
name: check goimports
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- uses: chainguard-dev/actions/goimports@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
================================================
FILE: .github/workflows/tests.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: CI-Tests
on:
workflow_dispatch:
push:
branches: ['main', 'release-*']
pull_request:
permissions: read-all
jobs:
unit-tests:
name: Run unit tests
permissions:
contents: read
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
env:
OS: ${{ matrix.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
- uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with:
# In order:
# * Module download cache
# * Build cache (Linux)
path: |
~/go/pkg/mod
~/.cache/go-build
~/Library/Caches/go-build
%LocalAppData%\go-build
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- name: Run Go tests
run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/)
- name: Upload Coverage Report
uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
with:
env_vars: OS
- name: Run Go tests w/ `-race`
if: ${{ runner.os == 'Linux' }}
run: go test -race $(go list ./... | grep -v third_party/)
license-check:
name: license boilerplate check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './go.mod'
check-latest: true
- name: Install addlicense
run: go install github.com/google/addlicense@latest
- name: Check license headers
run: |
set -e
addlicense -check -l apache -c 'The Sigstore Authors' -ignore "third_party/**" -v *
================================================
FILE: .github/workflows/verify-codegen.yaml
================================================
#
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Codegen
on:
workflow_dispatch:
push:
branches: ['main', 'release-*']
pull_request:
permissions: read-all
jobs:
verify:
name: Verify codegen
runs-on: ubuntu-latest
env:
GOPATH: ${{ github.workspace }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
- shell: bash
working-directory: ./src/github.com/${{ github.repository }}
run: |
./hack/update-codegen.sh
# For whatever reason running this makes it not complain...
git status
- uses: chainguard-dev/actions/nodiff@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
path: ./src/github.com/${{ github.repository }}
fixup-command: "./hack/update-codegen.sh"
================================================
FILE: .github/workflows/verify-docs.yaml
================================================
#
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: API Docs Generator
on:
workflow_dispatch:
push:
branches: ['main', 'release-*']
pull_request:
permissions: read-all
jobs:
verify-docs:
name: Verify API docs
runs-on: ubuntu-latest
env:
GOPATH: ${{ github.workspace }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: ./src/github.com/${{ github.repository }}
fetch-depth: 0
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: './src/github.com/${{ github.repository }}/go.mod'
check-latest: true
- shell: bash
working-directory: ./src/github.com/${{ github.repository }}
run: |
make docs
# For whatever reason running this makes it not complain...
git status
- uses: chainguard-dev/actions/nodiff@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
with:
path: ./src/github.com/${{ github.repository }}
fixup-command: "make docs"
================================================
FILE: .github/workflows/whitespace.yaml
================================================
name: Whitespace
on:
pull_request:
branches: [ 'main', 'release-*' ]
permissions: read-all
jobs:
whitespace:
name: Check Whitespace
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: chainguard-dev/actions/trailing-space@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
if: ${{ always() }}
- uses: chainguard-dev/actions/eof-newline@d67380d0b02c09412f8e17f660ec48870bd89e6e # v1.6.9
if: ${{ always() }}
================================================
FILE: .gitignore
================================================
# Binaries for programs and plugins
.DS_STORE
*.exe
*.exe~
*.dll
*.so
*.dylib
# Test binary, built with `go test -c`
*.test
# Output of the go coverage tool, specifically when used with LiteIDE
*.out
# Dependency directories (remove the comment below to include it)
# vendor/
# cosign stuff
/cosign*
.vscode
.idea
# fuzzing artifacts
*.libfuzzer
*fuzz.a
bin*
dist/
policyControllerImagerefs
**verify-experimental*
policy-controller
policy-tester
# Vim
*.swp
gha-creds-*.json
# Kind cluster configuration produced by the local-dev tool
kind.yaml
================================================
FILE: .golangci.yml
================================================
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
version: "2"
run:
issues-exit-code: 1
linters:
enable:
- asciicheck
- errorlint
- gocritic
- gosec
- importas
- misspell
- prealloc
- revive
- staticcheck
- tparallel
- unconvert
- unparam
- whitespace
settings:
revive:
rules:
- name: dot-imports
arguments:
- allowedPackages:
- knative.dev/pkg/configmap/testing
- knative.dev/pkg/reconciler/testing
- github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1
exclusions:
generated: lax
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
rules:
- linters:
- errcheck
- gosec
path: _test\.go
paths:
- ^third_party/
- ^examples/
issues:
max-issues-per-linter: 0
max-same-issues: 0
formatters:
enable:
- gofmt
- goimports
exclusions:
generated: lax
paths:
- ^third_party/
- ^examples/
================================================
FILE: .goreleaser.yaml
================================================
project_name: policy-controller
version: 2
env:
- GO111MODULE=on
- COSIGN_YES=true
before:
hooks:
- go mod tidy
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
builds:
- id: tester
binary: tester-{{ .Os }}-{{ .Arch }}
no_unique_dist_dir: true
main: ./cmd/tester
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
goos:
- linux
- darwin
- windows
goarch:
- amd64
- arm64
- arm
- s390x
- ppc64le
goarm:
- 7
ignore:
- goos: windows
goarch: arm64
- goos: windows
goarch: arm
- goos: windows
goarch: s390x
- goos: windows
goarch: ppc64le
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CGO_ENABLED=0
signs:
# Keyless
- id: tester
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: binary
- id: checksum-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: checksum
archives:
- format: binary
name_template: "{{ .Binary }}"
allow_different_binary_count: true
checksum:
name_template: "{{ .ProjectName }}_checksums.txt"
snapshot:
version_template: SNAPSHOT-{{ .ShortCommit }}
release:
prerelease: allow # remove this when we start publishing non-prerelease or set to auto
github:
owner: sigstore
name: policy-controller
footer: |
### Thanks to all contributors!
extra_files:
- glob: "./policy-controller*.yaml"
================================================
FILE: .ko.yaml
================================================
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
defaultBaseImage: cgr.dev/chainguard/static:latest
builds:
- id: policy-controller
dir: .
main: ./cmd/webhook
env:
- CGO_ENABLED=0
flags:
- -trimpath
- --tags
- "{{ .Env.GIT_HASH }}"
- --tags
- "{{ .Env.GIT_VERSION }}"
ldflags:
- -extldflags "-static"
- "{{ .Env.LDFLAGS }}"
================================================
FILE: CHANGELOG.md
================================================
# v0.12.0
* drop 1.27/28 and add 1.30/31/32 k8s
* fix post submit job
* Use v0.7.18 for scaffolding, update k8s versions to test with
## Contributors
* Carlos Tadeu Panato Junior
* Ville Aikas
# v0.1.0
## Enhancements
* Refactor entire policy validation into ValidatePolicy.
* Set reinvocationPolicy to 'IfNeeded' for the tag resolver webhook
* Add policy-tester CLI for testing ClusterImagePolicies
* (tester) Validate CIP before using it.
* (tester) call SetDefaults on cip before conversion
* remove v1.21 k8s which is deprecated and add v1.24
* chore: do not fail to verify signed images if the secret-name flag is not set
## Bug fixes
* Fix issue #38. Do not block status updates.
* Avoid test race condition.
* Fix https://github.com/sigstore/cosign/issues/1653
* Allow for @ symbol on globs to support image refs with digest
* Validate globs at admission time.
* fix: add missing conversion to CRD
* fix: solve vuln from our opa version
* Fix issue #24
* Bump some vulnerable dependencies; base on distroless/static
## Others
* Bump mikefarah/yq from 4.25.3 to 4.26.1
* Bump actions/dependency-review-action from 2.0.2 to 2.0.4
* Bump google.golang.org/grpc from 1.47.0 to 1.48.0
* Bump github/codeql-action from 2.1.15 to 2.1.16
* Bump actions/cache from 3.0.4 to 3.0.5
* Bump actions/setup-go from 3.2.0 to 3.2.1
* update knative to use v1.5.0 release
* update scafolding to use release v0.3.0
* Bump github.com/aws/aws-sdk-go-v2 from 1.16.6 to 1.16.7
* Bump sigstore/cosign-installer from 2.4.0 to 2.4.1
* Bump github.com/aws/aws-sdk-go-v2 from 1.16.5 to 1.16.6
* increase timeout for golangci-lint
* Bump github.com/stretchr/testify from 1.7.5 to 1.8.0
* Bump github/codeql-action from 2.1.14 to 2.1.15
* Switch to direct returns
* Bump github.com/hashicorp/go-version from 1.5.0 to 1.6.0
* Bump ossf/scorecard-action from 1.1.1 to 1.1.2
* chore: skip secret not found
* Bump github.com/stretchr/testify from 1.7.4 to 1.7.5
* Bump mikefarah/yq from 4.25.2 to 4.25.3
* Bump github/codeql-action from 2.1.13 to 2.1.14
* Bump github.com/google/go-containerregistry from 0.9.0 to 0.10.0
* Bump github.com/stretchr/testify from 1.7.2 to 1.7.4
* Bump github/codeql-action from 2.1.12 to 2.1.13
* Bump actions/dependency-review-action from 2.0.1 to 2.0.2
* Bump actions/dependency-review-action from 1.0.2 to 2.0.1
* Update tests for OR behaviour wrt authorities.
* remove unused struct from imports
* Add policy to make sure signature and attestation is there.
* Return authoritymatches before errors.
* remove third_party stuff due to mismatch in go version.
* Use fulcioroots from sigstore/sigstore
* Even if some authority returns err, return any other matching authority results.
* Use public fulcio/rekor to make sure things are not there.
* hack/update-deps.sh
## Contributors
* Carlos Tadeu Panato Junior
* Hector Fernandez
* Jason Hall
* Josh Dolitsky
* Matt Moore
* Ville Aikas
* Vladimir Nachev
* cpanato
* dependabot[bot]
* dlorenc
* hectorj2f
================================================
FILE: CODEOWNERS
================================================
# The CODEOWNERS are managed via a GitHub team, but the current list is (in alphabetical order):
#
# lukehinds
================================================
FILE: CODE_OF_CONDUCT.md
================================================
# Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as
contributors and maintainers pledge to making participation in our project and
our community a harassment-free experience for everyone, regardless of age, body
size, disability, ethnicity, gender identity and expression, level of experience,
nationality, personal appearance, race, religion, or sexual identity and
orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment
include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or
advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic
address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable
behavior and are expected to take appropriate and fair corrective action in
response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct, or to ban temporarily or
permanently any contributor for other behaviors that they deem inappropriate,
threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community. Examples of
representing a project or community include using an official project e-mail
address, posting via an official social media account, or acting as an appointed
representative at an online or offline event. Representation of a project may be
further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting the project team at <maintainers@sigstore.dev>. All
complaints will be reviewed and investigated and will result in a response that
is deemed necessary and appropriate to the circumstances. The project team is
obligated to maintain confidentiality with regard to the reporter of an incident.
Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good
faith may face temporary or permanent repercussions as determined by other
members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
available at [http://contributor-covenant.org/version/1/4][version]
[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/
================================================
FILE: COPYRIGHT.txt
================================================
Copyright 2021 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: Makefile
================================================
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
ifeq (,$(shell go env GOBIN))
GOBIN=$(shell go env GOPATH)/bin
else
GOBIN=$(shell go env GOBIN)
endif
GOFILES ?= $(shell find . -type f -name '*.go' -not -path "./vendor/*")
# Set version variables for LDFLAGS
PROJECT_ID ?= projectsigstore
RUNTIME_IMAGE ?= gcr.io/distroless/static
GIT_VERSION ?= $(shell git describe --tags --always --dirty)
GIT_HASH ?= $(shell git rev-parse HEAD)
DATE_FMT = +%Y-%m-%dT%H:%M:%SZ
SOURCE_DATE_EPOCH ?= $(shell git log -1 --pretty=%ct)
ifdef SOURCE_DATE_EPOCH
BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)")
else
BUILD_DATE ?= $(shell date "$(DATE_FMT)")
endif
GIT_TREESTATE = "clean"
DIFF = $(shell git diff --quiet >/dev/null 2>&1; if [ $$? -eq 1 ]; then echo "1"; fi)
ifeq ($(DIFF), 1)
GIT_TREESTATE = "dirty"
endif
POLICY_CONTROLLER_ARCHS?=all
LDFLAGS=-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$(GIT_VERSION) \
-X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \
-X sigs.k8s.io/release-utils/version.gitTreeState=$(GIT_TREESTATE) \
-X sigs.k8s.io/release-utils/version.buildDate=$(BUILD_DATE)
SRCS = $(shell find cmd -iname "*.go") $(shell find pkg -iname "*.go")
GOLANGCI_LINT_DIR = $(shell pwd)/bin
GOLANGCI_LINT_BIN = $(GOLANGCI_LINT_DIR)/golangci-lint
KO_PREFIX ?= gcr.io/projectsigstore
export KO_DOCKER_REPO=$(KO_PREFIX)
GHCR_PREFIX ?= ghcr.io/sigstore/policy-controller
POLICY_CONTROLLER_YAML ?= policy-controller-$(GIT_VERSION).yaml
LATEST_TAG ?=
.PHONY: all lint test clean policy-controller cross docs
all: policy-controller
log-%:
@grep -h -E '^$*:.*?## .*$$' $(MAKEFILE_LIST) | \
awk \
'BEGIN { \
FS = ":.*?## " \
}; \
{ \
printf "\033[36m==> %s\033[0m\n", $$2 \
}'
.PHONY: checkfmt
checkfmt: SHELL := /usr/bin/env bash
checkfmt: ## Check formatting of all go files
@ $(MAKE) --no-print-directory log-$@
$(shell test -z "$(shell gofmt -l $(GOFILES) | tee /dev/stderr)")
$(shell test -z "$(shell goimports -l $(GOFILES) | tee /dev/stderr)")
.PHONY: fmt
fmt: ## Format all go files
@ $(MAKE) --no-print-directory log-$@
goimports -w $(GOFILES)
## Build policy-controller binary
.PHONY: policy-controller
policy-controller:
CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/webhook
## Build policy-tester binary
.PHONY: policy-tester
policy-tester:
CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/tester
## Build local-dev binary
.PHONY: local-dev
local-dev:
CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o bin/$@ ./cmd/local-dev
#####################
# lint / test section
#####################
golangci-lint:
rm -f $(GOLANGCI_LINT_BIN) || :
set -e ;\
GOBIN=$(GOLANGCI_LINT_DIR) go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.6.2 ;\
lint: golangci-lint ## Run golangci-lint linter
$(GOLANGCI_LINT_BIN) run -n
test:
go test $(shell go list ./... | grep -v third_party/)
clean:
rm -rf policy-controller
KOCACHE_PATH=/tmp/ko
ARTIFACT_HUB_LABELS=--image-label io.artifacthub.package.readme-url="https://raw.githubusercontent.com/sigstore/policy-controller/main/README.md" \
--image-label io.artifacthub.package.license=Apache-2.0 --image-label io.artifacthub.package.vendor=sigstore \
--image-label io.artifacthub.package.version=0.1.0 \
--image-label io.artifacthub.package.name=policy-controller \
--image-label org.opencontainers.image.created=$(BUILD_DATE) \
--image-label org.opencontainers.image.description="Kubernetes webhook for configuring admission policies" \
--image-label io.artifacthub.package.alternative-locations="oci://ghcr.io/sigstore/policy-controller/policy-controller"
define create_kocache_path
mkdir -p $(KOCACHE_PATH)
endef
##########
# ko build
##########
.PHONY: ko
ko: ko-policy-controller
.PHONY: ko-policy-controller
ko-policy-controller: kustomize-policy-controller
# policy-controller
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-controller ko resolve --bare \
--platform=$(POLICY_CONTROLLER_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
--image-refs policyControllerImagerefs --filename config/webhook.yaml >> $(POLICY_CONTROLLER_YAML)
.PHONY: ko-local
ko-local:
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=ko.local ko build --base-import-paths \
--tags $(GIT_VERSION) --tags $(GIT_HASH) \
$(ARTIFACT_HUB_LABELS) \
--platform=all \
github.com/sigstore/policy-controller/cmd/webhook
.PHONY: ko-apply
ko-apply:
LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/
.PHONY: kustomize-policy-controller
kustomize-policy-controller:
kustomize build config/ > $(POLICY_CONTROLLER_YAML)
##################
# help
##################
help: # Display help
@awk -F ':|##' \
'/^[^\t].+?:.*?##/ {\
printf "\033[36m%-30s\033[0m %s\n", $$1, $$NF \
}' $(MAKEFILE_LIST) | sort
include release/release.mk
include test/ci.mk
.PHONY: docs
docs: docs/generate-api
.PHONY: docs/generate-api
docs/generate-api:
mkdir -p docs/api-types; \
go run -ldflags "$(GO_LDFLAGS)" ./cmd/api-docs/main.go \
"v1beta1" \
`find ./pkg/apis/policy/v1beta1/ -iname '*types.go' | sort -r | tr '\n' ' '` \
> docs/api-types/index.md;
go run -ldflags "$(GO_LDFLAGS)" ./cmd/api-docs/main.go \
"v1alpha1" \
`find ./pkg/apis/policy/v1alpha1/ -iname '*types.go' | sort -r | tr '\n' ' '` \
> docs/api-types/index-v1alpha1.md;
.PHONY: generate-testdata
generate-testdata:
go run hack/gentestdata/gentestdata.go
================================================
FILE: README.md
================================================
<p align="center">
<img style="max-width: 100%;width: 300px;" src="https://raw.githubusercontent.com/sigstore/community/main/artwork/policy-controller/Horizontal/Full%20Color/sigstore_policycontroller-horizontal-color.svg" alt="Cosign logo"/>
</p>
# Policy Controller
The `policy-controller` admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from `cosign`.
[](https://goreportcard.com/report/github.com/sigstore/policy-controller)
[](https://github.com/sigstore/policy-controller/actions/workflows/kind-e2e-cosigned.yaml)
[](https://api.securityscorecards.dev/projects/github.com/sigstore/policy-controller)
`policy-controller` also resolves the image tags to ensure the image being ran is not different from when it was admitted.
See the [installation instructions](https://docs.sigstore.dev/policy-controller/installation) for more information.
Today, `policy-controller` can automatically validate signatures and
attestations on container images.
Enforcement is configured on a per-namespace basis, and multiple keys are supported.
We're actively working on more features here.
For more information about the `policy-controller`, have a look at our documentation website [here](https://docs.sigstore.dev/policy-controller/overview).
## Examples
Please see the [examples/](./examples/) directory for example policies etc.
## Policy Testing
This repo includes a `policy-tester` tool which enables checking a policy against
various images.
In the root of this repo, run the following to build:
```
make policy-tester
```
Then run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:
```
(set -o pipefail && \
./policy-tester \
--policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \
--image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)
```
## Local Development
You can spin up a local [Kind](https://kind.sigs.k8s.io/) K8s cluster to test local changes to the policy controller using the `local-dev`
CLI tool. Build the tool with `make local-dev` and then run it with `./bin/local-dev setup`.
It optionally accepts the following:
```
--cluster-name
--k8s-version
--registry-url
```
You can clean up the cluster with `./bin/local-dev clean --cluster-name=<my cluster name>`.
You will need to have the following tools installed to use this:
- [Docker](https://docs.docker.com/get-docker/)
- [kind](https://kind.sigs.k8s.io/)
- [ko](https://ko.build/install/)
- [kubectl](https://kubernetes.io/docs/tasks/tools/)
### Use local registry
If you would like to use the local Kind registry instead of a live one,
do not include the `registry-url` flag when calling the CLI. It will default to using the local registry. But before running the CLI, you must add the following line to your `/etc/hosts` file first:
`127.0.0.1 registry.local`
## Using Policy Controller with Azure Container Registry (ACR)
To allow the webhook to make requests to ACR, you must use one of the following
methods to authenticate:
1. Managed identities (used with AKS clusters)
1. Service principals (used with AKS clusters)
1. Pod imagePullSecrets (used with non AKS clusters)
See the [official documentation](https://learn.microsoft.com/en-us/azure/container-registry/authenticate-kubernetes-options#scenarios).
### Managed Identities for AKS Clusters
See the [official documentation](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json&bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json&tabs=azure-cli) for more details.
1. You must enable managed identities for the cluster using the `--enable-managed-identities` flag with either the `az aks create` or `az aks update` commands
1. You must attach the ACR to the AKS cluster using the `--attach-acr` with either
the `az aks create` or `az aks update` commands. See [here](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json&bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json&tabs=azure-cli#create-a-new-aks-cluster-and-integrate-with-an-existing-acr) for more details
1. You must set the `AZURE_CLIENT_ID` environment variable to the managed identity's client ID.
1. You must set the `AZURE_TENANT_ID` environment
variable to the Azure tenant the managed identity
resides in.
These will detected by the Azure credential manager.
When you create a cluster that has managed identities enabled,
a user assigned managed identity called
`<AKS cluster name>-agentpool`. Use this identity's client ID
when setting `AZURE_CLIENT_ID`. Make sure the ACR is attached to
your cluster.
#### Installing Policy Controller locally from this repository
If you are deploying policy-controller directly from this repository with
`make ko-apply`, you will need to add `AZURE_CLIENT_ID` and `AZURE_TENANT_ID` to the list of environment
variables in the [webhook deployment configuration](config/webhook.yaml).
#### Installing Policy Controller from the Helm chart
You can provide the managed identity's client ID as a custom environment
variable when installing the Helm chart:
```bash
helm install policy-controller sigstore/policy-controller --version 0.9.0 \
--set webhook.env.AZURE_CLIENT_ID=my-managed-id-client-id,webhook.env.AZURE_TENANT_ID=tenant-id
```
### Service Principals for AKS Clusters
#### Installing Policy Controller from the Helm chart
You should be able to provide the service principal client ID and tenant ID
as a workload identity annotations:
```bash
helm upgrade --install policy-controller sigstore/policy-controller --version 0.9.0 \
--set-json webhook.serviceAccount.annotations="{\"azure.workload.identity/client-id\": \"${SERVICE_PRINCIPAL_CLIENT_ID}\", \"azure.workload.identity/tenant-id\": \"${TENANT_ID}\"}"
```
## Support Policy
This policy-controller's versions are able to run in the following versions of Kubernetes:
| | policy-controller `> 0.2.x` | policy-controller `> 0.10.x` |
|---|:---:|:---:|
| Kubernetes 1.23 | ✓ | |
| Kubernetes 1.24 | ✓ | |
| Kubernetes 1.25 | ✓ | |
| Kubernetes 1.27 | | ✓ |
| Kubernetes 1.28 | | ✓ |
| Kubernetes 1.29 | | ✓ |
note: not fully tested yet, but can be installed
## Release Cadence
We are intending to move to a monthly cadence for minor releases.
Minor releases will be published around the beginning of the month.
We may cut a patch release instead, if the changes are small enough not to warrant a minor release.
We will also cut patch releases periodically as needed to address bugs.
## Security
Should you discover any security issues, please refer to Sigstore's [security
policy](https://github.com/sigstore/policy-controller/security/policy).
================================================
FILE: cmd/api-docs/main.go
================================================
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"bytes"
"fmt"
"go/ast"
"go/doc"
"go/parser"
"go/token"
"os"
"reflect"
"strings"
"text/template"
)
const (
headerTemplate = `
# API Documentation ({{ .Version }})
> This document is automatically generated from the API definition in the code.
`
)
var (
links = map[string]string{
"metav1.ObjectMeta": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta",
"metav1.ListMeta": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#listmeta-v1-meta",
"metav1.LabelSelector": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#labelselector-v1-meta",
"metav1.GroupVersionResource": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#groupversionresource-v1-meta",
"v1.SecretReference": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#secretreference-v1-core",
"v1.LocalObjectReference": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#localobjectreference-v1-core",
}
selfLinks = map[string]string{}
)
func main() {
printAPIDocs(os.Args[1], os.Args[2:])
}
func toSectionLink(name string) string {
name = strings.ToLower(name)
name = strings.ReplaceAll(name, " ", "-")
return name
}
func printTOC(types []KubeTypes) {
fmt.Printf("\n## Table of Contents\n")
for _, t := range types {
strukt := t[0]
if len(t) > 1 {
fmt.Printf("* [%s](#%s)\n", strukt.Name, toSectionLink(strukt.Name))
}
}
}
func printAPIDocs(version string, paths []string) {
header := struct {
Version string
}{
Version: version,
}
t, err := template.New("header").Parse(headerTemplate)
if err != nil {
panic(err)
}
err = t.Execute(os.Stdout, header)
if err != nil {
panic(err)
}
types := ParseDocumentationFrom(paths)
for _, t := range types {
strukt := t[0]
selfLinks[strukt.Name] = "#" + strings.ToLower(strukt.Name)
}
// we need to parse once more to now add the self links
types = ParseDocumentationFrom(paths)
printTOC(types)
for _, t := range types {
strukt := t[0]
fmt.Printf("\n## %s\n\n%s\n\n", strukt.Name, strukt.Doc)
if len(t) > 1 {
fmt.Println("| Field | Description | Scheme | Required |")
fmt.Println("| ----- | ----------- | ------ | -------- |")
fields := t[1:]
for _, f := range fields {
fmt.Println("|", f.Name, "|", f.Doc, "|", f.Type, "|", f.Mandatory, "|")
}
fmt.Println("")
fmt.Println("[Back to TOC](#table-of-contents)")
}
}
}
// Pair of strings. We keed the name of fields and the doc
type Pair struct {
Name, Doc, Type string
Mandatory bool
}
// KubeTypes is an array to represent all available types in a parsed file. [0] is for the type itself
type KubeTypes []Pair
// ParseDocumentationFrom gets all types' documentation and returns them as an
// array. Each type is again represented as an array (we have to use arrays as we
// need to be sure for the order of the fields). This function returns fields and
// struct definitions that have no documentation as {name, ""}.
func ParseDocumentationFrom(srcs []string) []KubeTypes {
var docForTypes []KubeTypes
for _, src := range srcs {
pkg := astFrom(src)
if pkg == nil {
continue
}
for _, kubType := range pkg.Types {
if structType, ok := kubType.Decl.Specs[0].(*ast.TypeSpec).Type.(*ast.StructType); ok {
var ks KubeTypes
ks = append(ks, Pair{kubType.Name, fmtRawDoc(kubType.Doc), "", false})
for _, field := range structType.Fields.List {
typeString := fieldType(field.Type)
fieldMandatory := fieldRequired(field)
if n := fieldName(field); n != "-" {
fieldDoc := fmtRawDoc(field.Doc.Text())
ks = append(ks, Pair{n, fieldDoc, typeString, fieldMandatory})
}
}
docForTypes = append(docForTypes, ks)
}
}
}
return docForTypes
}
func astFrom(filePath string) *doc.Package {
fset := token.NewFileSet()
m := make(map[string]*ast.File)
f, err := parser.ParseFile(fset, filePath, nil, parser.ParseComments)
if err != nil {
fmt.Printf("failed to parse file %q: %v\n", filePath, err)
return nil
}
m[filePath] = f
apkg, _ := ast.NewPackage(fset, m, nil, nil) //nolint:staticcheck
return doc.New(apkg, "", 0)
}
func fmtRawDoc(rawDoc string) string {
var buffer bytes.Buffer
delPrevChar := func() {
if buffer.Len() > 0 {
buffer.Truncate(buffer.Len() - 1) // Delete the last " " or "\n"
}
}
// Ignore all lines after ---
rawDoc = strings.Split(rawDoc, "---")[0]
for _, line := range strings.Split(rawDoc, "\n") {
line = strings.TrimRight(line, " ")
leading := strings.TrimLeft(line, " ")
switch {
case len(line) == 0: // Keep paragraphs
delPrevChar()
buffer.WriteString("\n\n")
case strings.HasPrefix(leading, "TODO"): // Ignore one line TODOs
case strings.HasPrefix(leading, "+"): // Ignore instructions to go2idl
default:
if strings.HasPrefix(line, " ") || strings.HasPrefix(line, "\t") {
delPrevChar()
line = "\n" + line + "\n" // Replace it with newline. This is useful when we have a line with: "Example:\n\tJSON-someting..."
} else {
line += " "
}
buffer.WriteString(line)
}
}
postDoc := strings.TrimRight(buffer.String(), "\n")
postDoc = strings.ReplaceAll(postDoc, "\\\"", "\"") // replace user's \" to "
postDoc = strings.ReplaceAll(postDoc, "\"", "\\\"") // Escape "
postDoc = strings.ReplaceAll(postDoc, "\n", "\\n")
postDoc = strings.ReplaceAll(postDoc, "\t", "\\t")
postDoc = strings.ReplaceAll(postDoc, "|", "\\|")
return postDoc
}
func toLink(typeName string) string {
selfLink, hasSelfLink := selfLinks[typeName]
if hasSelfLink {
return wrapInLink(typeName, selfLink)
}
link, hasLink := links[typeName]
if hasLink {
return wrapInLink(typeName, link)
}
return typeName
}
func wrapInLink(text, link string) string {
return fmt.Sprintf("[%s](%s)", text, link)
}
// fieldName returns the name of the field as it should appear in JSON format
// "-" indicates that this field is not part of the JSON representation
func fieldName(field *ast.Field) string {
jsonTag := ""
if field.Tag != nil {
jsonTag = reflect.StructTag(field.Tag.Value[1 : len(field.Tag.Value)-1]).Get("json") // Delete first and last quotation
if strings.Contains(jsonTag, "inline") {
return "-"
}
}
jsonTag = strings.Split(jsonTag, ",")[0] // This can return "-"
if jsonTag == "" {
if field.Names != nil {
return field.Names[0].Name
}
return field.Type.(*ast.Ident).Name
}
return jsonTag
}
// fieldRequired returns whether a field is a required field.
func fieldRequired(field *ast.Field) bool {
jsonTag := ""
if field.Tag != nil {
jsonTag = reflect.StructTag(field.Tag.Value[1 : len(field.Tag.Value)-1]).Get("json") // Delete first and last quotation
return !strings.Contains(jsonTag, "omitempty")
}
return false
}
func fieldType(typ ast.Expr) string {
switch e := typ.(type) {
case *ast.Ident:
return toLink(e.Name)
case *ast.StarExpr:
return toLink(fieldType(e.X))
case *ast.SelectorExpr:
pkg := e.X.(*ast.Ident) //nolint:errcheck
t := e.Sel
return toLink(pkg.Name + "." + t.Name)
case *ast.ArrayType:
return "[]" + toLink(fieldType(e.Elt))
case *ast.MapType:
return "map[" + toLink(fieldType(e.Key)) + "]" + toLink(fieldType(e.Value))
default:
return ""
}
}
================================================
FILE: cmd/local-dev/clean.go
================================================
//
// Copyright 2023 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"bytes"
"context"
"fmt"
"log"
"os/exec"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/client"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
func addCleanFlags(cmd *cobra.Command) {
cmd.Flags().String("cluster-name", "policy-controller-demo", "name of the dev policy controller cluster")
}
func init() {
addCleanFlags(cleanCmd)
rootCmd.AddCommand(cleanCmd)
}
var cleanCmd = &cobra.Command{
Use: "clean",
Short: "cleanup the local k8s cluster",
Long: "Cleanup the local k8s cluster",
PreRunE: func(cmd *cobra.Command, _ []string) error {
if err := viper.BindPFlags(cmd.Flags()); err != nil {
log.Fatal("Error initializing cmd line args: ", err)
}
return nil
},
Run: func(_ *cobra.Command, _ []string) {
clean()
},
}
func clean() {
var stderr bytes.Buffer
// clean up the local cluster
clusterName := viper.GetString("cluster-name")
fmt.Printf("Cleaning up the kind cluster %s...\n", clusterName)
removeCluster := exec.Command("kind", "delete", "cluster", "--name", clusterName)
removeCluster.Stderr = &stderr
if err := removeCluster.Run(); err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
if err := cleanUpRegistry(); err != nil {
log.Fatal(err)
}
}
func cleanUpRegistry() error {
ctx := context.Background()
dockerCLI, err := client.NewClientWithOpts(
client.FromEnv,
client.WithAPIVersionNegotiation(),
)
if err != nil {
return err
}
defer dockerCLI.Close()
containers, err := dockerCLI.ContainerList(ctx, container.ListOptions{Filters: filters.NewArgs(filters.KeyValuePair{Key: "name", Value: "registry.local"})})
if err != nil {
return err
}
if len(containers) > 0 {
fmt.Println("Cleaning up registry.local...")
if err := dockerCLI.ContainerStop(ctx, containers[0].ID, container.StopOptions{}); err != nil {
return err
}
if err := dockerCLI.ContainerRemove(ctx, containers[0].ID, container.RemoveOptions{}); err != nil {
return err
}
}
return nil
}
================================================
FILE: cmd/local-dev/main.go
================================================
//
// Copyright 2023 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
func main() {
Execute()
}
================================================
FILE: cmd/local-dev/root.go
================================================
//
// Copyright 2023 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"fmt"
"os"
"github.com/spf13/cobra"
)
var rootCmd = &cobra.Command{
Use: "local-dev",
Short: "Create, manage, and destroy a local k8s cluster for testing the policy controller",
Long: "Create, manage, and destroy a local k8s cluster for testing the policy controller",
}
func Execute() {
if err := rootCmd.Execute(); err != nil {
fmt.Fprintln(os.Stderr, err)
os.Exit(1)
}
}
================================================
FILE: cmd/local-dev/setup.go
================================================
//
// Copyright 2023 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"bytes"
"context"
"fmt"
"io/fs"
"log"
"os"
"os/exec"
"path/filepath"
"regexp"
"strconv"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/client"
"github.com/docker/go-connections/nat"
"github.com/spf13/cobra"
"github.com/spf13/viper"
)
const (
localRegistryName = "registry.local"
localRegistryPort = 5001
defaultKindestNodeVersionTag = "v1.27.3"
)
var kindClusterConfig = `
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
name: "%s"
nodes:
- role: control-plane
image: "%s"
# Configure registry for KinD.
containerdConfigPatches:
- |-
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."%s:%d"]
endpoint = ["http://%s:%d"]
`
// check that a supplied image version is in the expected semver format: v<major>.<minor>.<patch>
var semverRegexp = regexp.MustCompile("^v[0-9]+.[0-9]+.[0-9]+$")
// check that registry URLs are in the expected format <url>:<port>
var registryURLRegexp = regexp.MustCompile("^[a-zA-Z0-9]+.[a-z]+:[0-9]+$")
func addSetupFlags(cmd *cobra.Command) {
cmd.Flags().String("cluster-name", "policy-controller-demo", "name of the dev policy controller cluster")
cmd.Flags().String("k8s-version", defaultKindestNodeVersionTag, "name of the Ko Docker repository to use")
cmd.Flags().String("registry-url", "registry.local", "URL and port of the Ko Docker registry to use. Expected format: <url>:<port>. If no registry is provided, the local Kind registry will be used")
}
var setupCmd = &cobra.Command{
Use: "setup",
Short: "setup local k8s cluster for testing policy controller",
Long: "Setup a local k8s cluster for testing policy controller",
PreRunE: func(cmd *cobra.Command, _ []string) error {
if err := viper.BindPFlags(cmd.Flags()); err != nil {
log.Fatal("Error initializing cmd line args: ", err)
}
return nil
},
Run: func(_ *cobra.Command, _ []string) {
setup()
},
}
func buildFatalMessage(err error, stderr bytes.Buffer) string {
return fmt.Sprintf("%v: %s", err, stderr.String())
}
func setup() {
var stderr bytes.Buffer
registryURL := viper.GetString("registry-url")
if registryURL == localRegistryName {
fullLocalRegistryURL := fmt.Sprintf("%s:%d/sigstore", localRegistryName, localRegistryPort)
err := os.Setenv("KO_DOCKER_REPO", fullLocalRegistryURL)
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
} else {
if !registryURLRegexp.Match([]byte(registryURL)) {
log.Fatal(fmt.Errorf("provided registry URL is not in the expected format: <url>:<port>"))
}
err := os.Setenv("KO_DOCKER_REPO", registryURL)
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
}
// Create the new Kind cluster
clusterName := viper.GetString("cluster-name")
fmt.Printf("Creating Kind cluster %s...\n", clusterName)
clusterConfig, err := createKindConfig(clusterName, viper.GetString("k8s-version"))
if err != nil {
log.Fatal(err)
}
configBytes := []byte(clusterConfig)
err = os.WriteFile("kind.yaml", configBytes, 0600)
if err != nil {
log.Fatal(err)
}
startKindCluster := exec.Command("kind", "create", "cluster", "--config", "kind.yaml")
startKindCluster.Stderr = &stderr
if err := startKindCluster.Run(); err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
if registryURL == localRegistryName {
if err = setupLocalRegistry(); err != nil {
log.Fatal(err)
}
}
setGitHash := exec.Command("git", "rev-parse", "HEAD")
setGitHash.Stderr = &stderr
outBytes, err := setGitHash.Output()
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
err = os.Setenv("GIT_HASH", string(outBytes))
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
setGitVersion := exec.Command("git", "describe", "--tags", "--always", "--dirty")
setGitVersion.Stderr = &stderr
outBytes, err = setGitVersion.Output()
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
err = os.Setenv("GIT_VERSION", string(outBytes))
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
var configFiles []string
err = filepath.WalkDir("config", func(path string, d fs.DirEntry, err error) error {
if err != nil {
return err
}
if filepath.Ext(d.Name()) == ".yaml" && d.Name() != "kustomization.yaml" {
configFiles = append(configFiles, path)
}
return nil
})
if err != nil {
log.Fatal(err)
}
fmt.Println("Applying local policy controller manifests...")
for _, configFile := range configFiles {
koApply := exec.Command("ko", "apply", "-f", configFile)
koApply.Stderr = &stderr
_, err = koApply.Output()
if err != nil {
log.Fatal(buildFatalMessage(err, stderr))
}
}
}
func createKindConfig(clusterName, k8sVersion string) (string, error) {
// check that the provided version is in the expected format and use it
if !semverRegexp.Match([]byte(k8sVersion)) {
return "", fmt.Errorf("provided k8s version %s is not in the expected semver format v<major>.<minor>.<patch>", k8sVersion)
}
kindImage := fmt.Sprintf("kindest/node:%s", k8sVersion)
return fmt.Sprintf(kindClusterConfig, clusterName, kindImage, localRegistryName, localRegistryPort, localRegistryName, localRegistryPort), nil
}
func setupLocalRegistry() error {
dockerCLI, err := client.NewClientWithOpts(
client.FromEnv,
client.WithAPIVersionNegotiation(),
)
if err != nil {
return nil
}
defer dockerCLI.Close()
fmt.Printf("\nStarting local registry %s...\n", localRegistryName)
ctx := context.Background()
resp, err := dockerCLI.ContainerCreate(ctx, &container.Config{
Image: "registry:2",
Env: []string{fmt.Sprintf("REGISTRY_HTTP_ADDR=0.0.0.0:%d", localRegistryPort)},
ExposedPorts: nat.PortSet{"5001/tcp": struct{}{}},
}, &container.HostConfig{
RestartPolicy: container.RestartPolicy{Name: "always"},
PortBindings: nat.PortMap{
"5001/tcp": []nat.PortBinding{
{HostIP: "127.0.0.1", HostPort: strconv.Itoa(localRegistryPort)},
},
},
}, nil, nil, localRegistryName)
if err != nil {
return err
}
if err := dockerCLI.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil {
return err
}
fmt.Println("Connecting network between kind with local registry ...")
return dockerCLI.NetworkConnect(ctx, "kind", localRegistryName, nil)
}
func init() {
addSetupFlags(setupCmd)
rootCmd.AddCommand(setupCmd)
}
================================================
FILE: cmd/sample/main.go
================================================
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import "log"
func main() {
log.Printf("Hello, World!")
}
================================================
FILE: cmd/schema/main.go
================================================
// Copyright 2022 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"log"
"knative.dev/hack/schema/commands"
"knative.dev/hack/schema/registry"
v1alpha1 "github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1"
v1beta1 "github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1"
)
// schema is a tool to dump the schema for policy-controller resources.
func main() {
registry.Register(&v1alpha1.ClusterImagePolicy{})
registry.Register(&v1alpha1.TrustRoot{})
registry.Register(&v1beta1.ClusterImagePolicy{})
if err := commands.New("github.com/sigstore/policy-controller").Execute(); err != nil {
log.Fatal("Error during command execution: ", err)
}
}
================================================
FILE: cmd/tester/main.go
================================================
//
// Copyright 2022 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"context"
"encoding/json"
"flag"
"fmt"
"log"
"os"
"strings"
"github.com/google/go-containerregistry/pkg/authn"
"github.com/google/go-containerregistry/pkg/name"
"go.uber.org/zap"
"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
"knative.dev/pkg/apis"
"knative.dev/pkg/logging"
"sigs.k8s.io/release-utils/version"
"sigs.k8s.io/yaml"
"github.com/sigstore/policy-controller/pkg/apis/config"
"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1"
policycontrollerconfig "github.com/sigstore/policy-controller/pkg/config"
"github.com/sigstore/policy-controller/pkg/policy"
"github.com/sigstore/policy-controller/pkg/webhook"
)
type output struct {
Errors []string `json:"errors,omitempty"`
Warnings []string `json:"warnings,omitempty"`
}
type LogLevel string
const (
LevelDebug LogLevel = "debug"
LevelInfo LogLevel = "info"
LevelWarn LogLevel = "warn"
LevelError LogLevel = "error"
)
func getSugaredLogger(value string) (*zap.SugaredLogger, error) {
ll := LogLevel(value)
switch ll {
case LevelDebug, LevelInfo, LevelWarn, LevelError:
return setSugaredLogger(ll)
default:
return nil, fmt.Errorf("invalid log level")
}
}
func setSugaredLogger(logLevel LogLevel) (*zap.SugaredLogger, error) {
cfg := zap.NewDevelopmentConfig()
switch logLevel {
case LevelDebug:
cfg.Level.SetLevel(zap.DebugLevel)
case LevelInfo:
cfg.Level.SetLevel(zap.InfoLevel)
case LevelWarn:
cfg = zap.NewProductionConfig()
cfg.Level.SetLevel(zap.WarnLevel)
case LevelError:
cfg = zap.NewProductionConfig()
cfg.Level.SetLevel(zap.ErrorLevel)
default:
panic("invalid log level")
}
logger, err := cfg.Build()
if err != nil {
return nil, fmt.Errorf("failed to build logger: %w", err)
}
return logger.Sugar(), nil
}
func main() {
cipFilePath := flag.String("policy", "", "path to ClusterImagePolicy or URL to fetch from (http/https)")
versionFlag := flag.Bool("version", false, "return the policy-controller tester version")
image := flag.String("image", "", "image to compare against policy")
resourceFilePath := flag.String("resource", "", "path to a kubernetes resource to use with includeSpec, includeObjectMeta")
trustRootFilePath := flag.String("trustroot", "", "path to a kubernetes TrustRoot resource to use with the ClusterImagePolicy")
logLevelStr := flag.String("log-level", "info", "configure the tool's log level (debug, info, warn, error)")
enableOCI11 := flag.Bool("enable-oci11", false, "enable experimental OCI 1.1 referrers API for attestation discovery")
flag.Parse()
logger, err := getSugaredLogger(*logLevelStr)
if err != nil {
flag.Usage()
os.Exit(1)
}
ctx := logging.WithLogger(context.Background(), logger)
// Set up policy controller configuration with OCI 1.1 support
if *enableOCI11 {
policyConfig := &policycontrollerconfig.PolicyControllerConfig{
NoMatchPolicy: "deny",
FailOnEmptyAuthorities: true,
EnableOCI11: true,
}
ctx = policycontrollerconfig.ToContext(ctx, policyConfig)
}
if *versionFlag {
v := version.GetVersionInfo()
fmt.Println(v.String())
os.Exit(0)
}
if *cipFilePath == "" || *image == "" {
flag.Usage()
os.Exit(1)
}
pols := make([]policy.Source, 0, 1)
if strings.HasPrefix(*cipFilePath, "https://") || strings.HasPrefix(*cipFilePath, "http://") {
pols = append(pols, policy.Source{
URL: *cipFilePath,
})
} else {
pols = append(pols, policy.Source{
Path: *cipFilePath,
})
}
logging.FromContext(ctx).Infof("Validating policy\n")
v := policy.Verification{
NoMatchPolicy: "deny",
Policies: &pols,
}
if err := v.Validate(ctx); err != nil {
// CIP validation can return Warnings so let's just go through them
// and only exit if there are Errors.
if warnFE := err.Filter(apis.WarningLevel); warnFE != nil {
log.Printf("CIP has warnings:\n%s\n", warnFE.Error())
}
if errorFE := err.Filter(apis.ErrorLevel); errorFE != nil {
log.Fatalf("CIP is invalid: %s", errorFE.Error())
}
}
logging.FromContext(ctx).Infof("Policy was successfully validated\n")
ref, err := name.ParseReference(*image)
if err != nil {
log.Fatal(err)
}
warningStrings := []string{}
vfy, err := policy.Compile(ctx, v, func(s string, i ...interface{}) {
warningStrings = append(warningStrings, fmt.Sprintf(s, i...))
})
if err != nil {
log.Fatal(err)
}
if *resourceFilePath != "" {
logging.FromContext(ctx).Infof("Parsing the provided Kubernetes resource\n")
raw, err := os.ReadFile(*resourceFilePath)
if err != nil {
log.Fatal(err)
}
uo := &unstructured.Unstructured{}
if err := yaml.Unmarshal(raw, uo); err != nil {
log.Fatal(err)
}
m, ok := uo.Object["metadata"]
if !ok {
log.Fatal("kubernetes resource is missing metadata key")
}
ctx = webhook.IncludeObjectMeta(ctx, m)
spec, ok := uo.Object["spec"]
if !ok {
log.Fatal("kubernetes resource is missing spec key")
}
ctx = webhook.IncludeSpec(ctx, spec)
kind, ok := uo.Object["kind"]
if !ok {
log.Fatal("kubernetes resource is missing kind key")
}
apiVersion, ok := uo.Object["apiVersion"]
if !ok {
log.Fatal("kubernetes resource is missing apiVersion key")
}
typeMeta := make(map[string]interface{})
typeMeta["kind"] = kind
typeMeta["apiVersion"] = apiVersion
ctx = webhook.IncludeTypeMeta(ctx, typeMeta)
logging.FromContext(ctx).Infof("The Kuberentes resource will be used with includeSpec\n")
}
if *trustRootFilePath != "" {
logging.FromContext(ctx).Infof("Parsing the custom trust root\n")
configCtx := config.FromContextOrDefaults(ctx)
raw, err := os.ReadFile(*trustRootFilePath)
if err != nil {
log.Fatal(err)
}
tr := &v1alpha1.TrustRoot{}
if err := yaml.Unmarshal(raw, tr); err != nil {
log.Fatal(err)
}
keys, err := GetKeysFromTrustRoot(ctx, tr)
if err != nil {
log.Fatal(err)
}
maps := make(map[string]*config.SigstoreKeys, 0)
maps[tr.Name] = keys
configCtx.SigstoreKeysConfig = &config.SigstoreKeysMap{SigstoreKeys: maps}
ctx = config.ToContext(ctx, configCtx)
logging.FromContext(ctx).Infof("The custom trust root has been successfully added\n")
}
logging.FromContext(ctx).Infof("Verifying the provided image against the policy\n")
errStrings := []string{}
if err := vfy.Verify(ctx, ref, authn.DefaultKeychain); err != nil {
errStrings = append(errStrings, strings.Trim(err.Error(), "\n"))
}
if len(errStrings) != 0 {
logging.FromContext(ctx).Infof("Errors encountered during verification\n")
var o []byte
o, err = json.Marshal(&output{
Errors: errStrings,
Warnings: warningStrings,
})
if err != nil {
log.Fatal(err)
}
fmt.Println(string(o))
os.Exit(1)
}
logging.FromContext(ctx).Infof("Verification was successful!\n")
}
================================================
FILE: cmd/tester/trustroot.go
================================================
//
// Copyright 2024 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"context"
"fmt"
"github.com/sigstore/policy-controller/pkg/apis/config"
"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1"
"github.com/sigstore/policy-controller/pkg/reconciler/trustroot"
"github.com/sigstore/policy-controller/pkg/tuf"
)
func GetKeysFromTrustRoot(ctx context.Context, tr *v1alpha1.TrustRoot) (*config.SigstoreKeys, error) {
switch {
case tr.Spec.Remote != nil:
mirror := tr.Spec.Remote.Mirror.String()
client, err := tuf.ClientFromRemote(context.Background(), mirror, tr.Spec.Remote.Root, tr.Spec.Remote.Targets)
if err != nil {
return nil, fmt.Errorf("failed to initialize TUF client from remote: %w", err)
}
return trustroot.GetSigstoreKeysFromTuf(ctx, client, "")
case tr.Spec.Repository != nil:
client, err := tuf.ClientFromSerializedMirror(context.Background(), tr.Spec.Repository.MirrorFS, tr.Spec.Repository.Root, tr.Spec.Repository.Targets, v1alpha1.DefaultTUFRepoPrefix)
if err != nil {
return nil, fmt.Errorf("failed to initialize TUF client from remote: %w", err)
}
return trustroot.GetSigstoreKeysFromTuf(ctx, client, "")
case tr.Spec.SigstoreKeys != nil:
return config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys)
}
return nil, fmt.Errorf("provided trust root configuration is not supported")
}
================================================
FILE: cmd/webhook/depcheck_test.go
================================================
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main_test
import (
"testing"
"knative.dev/pkg/depcheck"
)
func TestNoDeps(t *testing.T) {
depcheck.AssertNoDependency(t, map[string][]string{
"github.com/sigstore/policy-controller/cmd/webhook": {
// This conflicts with klog, we error on startup about
// `-log_dir` being defined multiple times.
// Note: this dependency has been replaced with a version
// that does not cause the error
// "github.com/golang/glog",
},
})
}
================================================
FILE: cmd/webhook/main.go
================================================
//
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"context"
"flag"
"fmt"
"log"
"os"
"time"
policyduckv1beta1 "github.com/sigstore/policy-controller/pkg/apis/duck/v1beta1"
"github.com/sigstore/policy-controller/pkg/apis/policy"
"github.com/sigstore/policy-controller/pkg/apis/policy/common"
"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1"
"github.com/sigstore/policy-controller/pkg/apis/policy/v1beta1"
policycontrollerconfig "github.com/sigstore/policy-controller/pkg/config"
"github.com/sigstore/policy-controller/pkg/reconciler/clusterimagepolicy"
"github.com/sigstore/policy-controller/pkg/reconciler/trustroot"
admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
batchv1beta1 "k8s.io/api/batch/v1beta1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/util/sets"
duckv1 "knative.dev/pkg/apis/duck/v1"
kubeclient "knative.dev/pkg/client/injection/kube/client"
"knative.dev/pkg/configmap"
"knative.dev/pkg/controller"
"knative.dev/pkg/injection/sharedmain"
"knative.dev/pkg/logging"
"knative.dev/pkg/signals"
"knative.dev/pkg/webhook"
"knative.dev/pkg/webhook/certificates"
"knative.dev/pkg/webhook/resourcesemantics"
"knative.dev/pkg/webhook/resourcesemantics/conversion"
"knative.dev/pkg/webhook/resourcesemantics/defaulting"
"knative.dev/pkg/webhook/resourcesemantics/validation"
"sigs.k8s.io/release-utils/version"
"github.com/sigstore/sigstore/pkg/tuf"
"github.com/sigstore/policy-controller/pkg/apis/config"
pctuf "github.com/sigstore/policy-controller/pkg/tuf"
cwebhook "github.com/sigstore/policy-controller/pkg/webhook"
)
var (
// webhookName holds the name of the validating and mutating webhook
// configuration resources dispatching admission requests to policy-controller.
// It is also the name of the webhook which is injected by the controller
// with the resource types, namespace selectors, CABundle and service path.
// If this changes, you must also change:
//
// ./config/500-webhook-configuration.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_mutating.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_validating.yaml
webhookName = flag.String("webhook-name", "policy.sigstore.dev", "The name of the validating and mutating webhook configurations as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-controller.")
tufMirror = flag.String("tuf-mirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror. If left blank, public sigstore one is used")
tufRoot = flag.String("tuf-root", "", "Alternate TUF root.json. If left blank, public sigstore one is used")
// Do not initialize TUF at all.
// https://github.com/sigstore/policy-controller/issues/354
disableTUF = flag.Bool("disable-tuf", false, "Disable TUF support.")
// mutatingCIPWebhookName holds the name of the mutating webhook configuration
// resource dispatching admission requests to policy-webhook.
// It is also the name of the webhook which is injected by the controller
// with the resource types, namespace selectors, CABindle and service path.
// If this changes, you must also change:
// ./config/501-policy-webhook-configurations.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
mutatingCIPWebhookName = flag.String("mutating-webhook-name", "defaulting.clusterimagepolicy.sigstore.dev", "The name of the mutating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
// validatingCIPWebhookName holds the name of the validating webhook configuration
// resource dispatching admission requests to policy-webhook.
// It is also the name of the webhook which is injected by the controller
// with the resource types, namespace selectors, CABindle and service path.
// If this changes, you must also change:
// ./config/501-policy-webhook-configurations.yaml
// https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
validatingCIPWebhookName = flag.String("validating-webhook-name", "validating.clusterimagepolicy.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
// policyResyncPeriod holds the interval which ClusterImagePolicies will resync
// This is essential for triggering a reconcile update for potentially stale KMS authorities.
policyResyncPeriod = flag.Duration("policy-resync-period", 10*time.Hour, "The resync period for ClusterImagePolicies. The default is 10h.")
// trustrootResyncPeriod holds the interval which the TrustRoot will resync
// This is essential for triggering a reconcile update for potentially stale TUF metadata.
trustrootResyncPeriod = flag.Duration("trustroot-resync-period", 24*time.Hour, "The resync period for ClusterImagePolicies. The default is 24h.")
)
func main() {
opts := webhook.Options{
ServiceName: "webhook",
Port: 8443,
SecretName: "webhook-certs",
}
ctx := webhook.WithOptions(signals.NewContext(), opts)
// Allow folks to configure the port the webhook serves on.
flag.IntVar(&opts.Port, "secure-port", opts.Port, "The port on which to serve HTTPS.")
flag.Parse()
// If TUF has been disabled do not try to set it up.
if !*disableTUF {
// If they provided an alternate TUF root file to use, read it here.
var tufRootBytes []byte
var err error
if *tufRoot != "" {
tufRootBytes, err = os.ReadFile(*tufRoot)
if err != nil {
logging.FromContext(ctx).Panicf("Failed to read alternate TUF root file %s : %v", *tufRoot, err)
}
}
logging.FromContext(ctx).Infof("Initializing TUF root from %s => %s", *tufRoot, *tufMirror)
if err := tuf.Initialize(ctx, *tufMirror, tufRootBytes); err != nil {
logging.FromContext(ctx).Panicf("Failed to initialize TUF client from %s : %v", *tufRoot, err)
}
}
// Set the policy and trust root resync periods
ctx = clusterimagepolicy.ToContext(ctx, *policyResyncPeriod)
ctx = pctuf.ToContext(ctx, *trustrootResyncPeriod)
// This must match the set of resources we configure in
// cmd/webhook/main.go in the "types" map.
common.ValidResourceNames = sets.NewString("replicasets", "deployments",
"pods", "cronjobs", "jobs", "statefulsets", "daemonsets")
v := version.GetVersionInfo()
vJSON, _ := v.JSONString()
log.Printf("%v", vJSON)
// This calls flag.Parse()
sharedmain.MainWithContext(ctx, "policy-controller",
certificates.NewController,
NewValidatingAdmissionController,
NewMutatingAdmissionController,
trustroot.NewController,
clusterimagepolicy.NewController,
NewPolicyValidatingAdmissionController,
NewPolicyMutatingAdmissionController,
newConversionController,
)
}
var (
_ resourcesemantics.SubResourceLimited = (*crdNoStatusUpdatesOrDeletes)(nil)
_ resourcesemantics.VerbLimited = (*crdNoStatusUpdatesOrDeletes)(nil)
_ resourcesemantics.SubResourceLimited = (*crdEphemeralContainers)(nil)
_ resourcesemantics.VerbLimited = (*crdEphemeralContainers)(nil)
)
type crdNoStatusUpdatesOrDeletes struct {
resourcesemantics.GenericCRD
}
type crdEphemeralContainers struct {
resourcesemantics.GenericCRD
}
func (c *crdNoStatusUpdatesOrDeletes) SupportedSubResources() []string {
// We do not want any updates that are for status, scale, or anything else.
return []string{""}
}
func (c *crdEphemeralContainers) SupportedSubResources() []string {
return []string{"/ephemeralcontainers", ""}
}
func (c *crdNoStatusUpdatesOrDeletes) SupportedVerbs() []admissionregistrationv1.OperationType {
return []admissionregistrationv1.OperationType{
admissionregistrationv1.Create,
admissionregistrationv1.Update,
}
}
func (c *crdEphemeralContainers) SupportedVerbs() []admissionregistrationv1.OperationType {
return []admissionregistrationv1.OperationType{
admissionregistrationv1.Create,
admissionregistrationv1.Update,
}
}
var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
corev1.SchemeGroupVersion.WithKind("Pod"): &crdEphemeralContainers{GenericCRD: &duckv1.Pod{}},
appsv1.SchemeGroupVersion.WithKind("ReplicaSet"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},
appsv1.SchemeGroupVersion.WithKind("Deployment"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},
appsv1.SchemeGroupVersion.WithKind("StatefulSet"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &policyduckv1beta1.PodScalable{}},
appsv1.SchemeGroupVersion.WithKind("DaemonSet"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}},
batchv1.SchemeGroupVersion.WithKind("Job"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.WithPod{}},
batchv1.SchemeGroupVersion.WithKind("CronJob"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}},
batchv1beta1.SchemeGroupVersion.WithKind("CronJob"): &crdNoStatusUpdatesOrDeletes{GenericCRD: &duckv1.CronJob{}},
}
var typesCIP = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
// v1alpha1
v1alpha1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1alpha1.ClusterImagePolicy{},
v1alpha1.SchemeGroupVersion.WithKind("TrustRoot"): &v1alpha1.TrustRoot{},
// v1beta1
v1beta1.SchemeGroupVersion.WithKind("ClusterImagePolicy"): &v1beta1.ClusterImagePolicy{},
}
func NewValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
// Decorate contexts with the current state of the config.
store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
store.WatchConfigs(cmw)
policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller"))
policyControllerConfigStore.WatchConfigs(cmw)
logger := logging.FromContext(ctx)
woptions := webhook.GetOptions(ctx)
woptions.ControllerOptions = &controller.ControllerOptions{
WorkQueueName: fmt.Sprintf("%s-%s", *webhookName, "validating"),
Logger: logger.Named(*webhookName),
}
ctx = webhook.WithOptions(ctx, *woptions)
kc := kubeclient.Get(ctx)
validator := cwebhook.NewValidator(ctx)
return validation.NewAdmissionController(ctx,
// Name of the resource webhook.
*webhookName,
// The path on which to serve the webhook.
"/validations",
// The resources to validate.
types,
// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
func(ctx context.Context) context.Context {
ctx = context.WithValue(ctx, kubeclient.Key{}, kc)
ctx = store.ToContext(ctx)
ctx = policyControllerConfigStore.ToContext(ctx)
ctx = policyduckv1beta1.WithPodScalableValidator(ctx, validator.ValidatePodScalable)
ctx = duckv1.WithPodValidator(ctx, validator.ValidatePod)
ctx = duckv1.WithPodSpecValidator(ctx, validator.ValidatePodSpecable)
ctx = duckv1.WithCronJobValidator(ctx, validator.ValidateCronJob)
return ctx
},
// Whether to disallow unknown fields.
// We pass false because we're using partial schemas.
false,
// Extra validating callbacks to be applied to resources.
nil,
)
}
func NewMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *controller.Impl {
kc := kubeclient.Get(ctx)
logger := logging.FromContext(ctx)
woptions := webhook.GetOptions(ctx)
woptions.ControllerOptions = &controller.ControllerOptions{
WorkQueueName: fmt.Sprintf("%s-%s", *webhookName, "mutating"),
Logger: logger.Named(*webhookName),
}
ctx = webhook.WithOptions(ctx, *woptions)
validator := cwebhook.NewValidator(ctx)
return defaulting.NewAdmissionController(ctx,
// Name of the resource webhook.
*webhookName,
// The path on which to serve the webhook.
"/mutations",
// The resources to validate.
types,
// A function that infuses the context passed to Validate/SetDefaults with custom metadata.
func(ctx context.Context) context.Context {
ctx = context.WithValue(ctx, kubeclient.Key{}, kc)
ctx = policyduckv1beta1.WithPodScalableDefaulter(ctx, validator.ResolvePodScalable)
ctx = duckv1.WithPodDefaulter(ctx, validator.ResolvePod)
ctx = duckv1.WithPodSpecDefaulter(ctx, validator.ResolvePodSpecable)
ctx = duckv1.WithCronJobDefaulter(ctx, validator.ResolveCronJob)
return ctx
},
// Whether to disallow unknown fields.
// We pass false because we're using partial schemas.
false,
)
}
func NewPolicyValidatingAdmissionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
store := config.NewStore(logging.FromContext(ctx).Named("config-store"))
store.WatchConfigs(cmw)
policyControllerConfigStore := policycontrollerconfig.NewStore(logging.FromContext(ctx).Named("config-policy-controller"))
policyControllerConfigStore.WatchConfigs(cmw)
logger := logging.FromContext(ctx)
woptions := webhook.GetOptions(ctx)
woptions.ControllerOptions = &controller.ControllerOptions{
WorkQueueName: *validatingCIPWebhookName,
Logger: logger.Named(*validatingCIPWebhookName),
}
ctx = webhook.WithOptions(ctx, *woptions)
return validation.NewAdmissionController(
ctx,
*validatingCIPWebhookName,
"/validating",
typesCIP,
func(ctx context.Context) context.Context {
ctx = policyControllerConfigStore.ToContext(ctx)
return ctx
},
true,
)
}
func NewPolicyMutatingAdmissionController(ctx context.Context, _ configmap.Watcher) *controller.Impl {
woptions := webhook.GetOptions(ctx)
logger := logging.FromContext(ctx)
woptions.ControllerOptions = &controller.ControllerOptions{
WorkQueueName: *mutatingCIPWebhookName,
Logger: logger.Named(*mutatingCIPWebhookName),
}
ctx = webhook.WithOptions(ctx, *woptions)
return defaulting.NewAdmissionController(
ctx,
*mutatingCIPWebhookName,
"/defaulting",
typesCIP,
func(ctx context.Context) context.Context {
return ctx
},
true,
)
}
func newConversionController(ctx context.Context, _ configmap.Watcher) *controller.Impl {
// nolint: revive
var (
v1alpha1GroupVersion = v1alpha1.SchemeGroupVersion.Version
v1beta1GroupVersion = v1beta1.SchemeGroupVersion.Version
)
logger := logging.FromContext(ctx)
woptions := webhook.GetOptions(ctx)
woptions.ControllerOptions = &controller.ControllerOptions{
WorkQueueName: "resource-conversion",
Logger: logger.Named("resource-conversion"),
}
ctx = webhook.WithOptions(ctx, *woptions)
return conversion.NewConversionController(ctx,
// The path on which to serve the webhook
"/resource-conversion",
// Specify the types of custom resource definitions that should be converted
map[schema.GroupKind]conversion.GroupKindConversion{
v1beta1.Kind("ClusterImagePolicy"): {
DefinitionName: policy.ClusterImagePolicyResource.String(),
HubVersion: v1alpha1GroupVersion,
Zygotes: map[string]conversion.ConvertibleObject{
v1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{},
v1beta1GroupVersion: &v1beta1.ClusterImagePolicy{},
},
},
},
// A function that infuses the context passed to ConvertTo/ConvertFrom/SetDefaults with custom metadata
func(ctx context.Context) context.Context {
return ctx
},
)
}
================================================
FILE: config/100-namespace.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Namespace
metadata:
name: cosign-system
labels:
policy.sigstore.dev/include: "false"
================================================
FILE: config/200-clusterrole.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: policy-controller-rbac
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["create","patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations/finalizers", "mutatingwebhookconfigurations/finalizers"]
resourceNames: ["policy.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]
verbs: ["update"]
# Allow the reconciliation of exactly our validating and mutating webhooks.
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "update", "delete"]
resourceNames: ["policy.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
# The webhook configured the namespace as the OwnerRef on various cluster-scoped resources,
# which requires we can Get the system namespace.
resourceNames: ["cosign-system"]
- apiGroups: [""]
resources: ["namespaces/finalizers"]
verbs: ["update"]
resourceNames: ["cosign-system"]
# Allow the reconciliation of exactly our CRDs.
# This is needed for us to patch in conversion webhook information.
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "update"]
resourceNames: ["clusterimagepolicies.policy.sigstore.dev"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "update"]
resourceNames: ["trustroots.policy.sigstore.dev"]
# Allow reconciliation of the ClusterImagePolicy and TrustRoot CRDs.
- apiGroups: ["policy.sigstore.dev"]
resources: ["clusterimagepolicies", "clusterimagepolicies/status"]
verbs: ["get", "list", "update", "watch", "patch"]
- apiGroups: ["policy.sigstore.dev"]
resources: ["trustroots", "trustroots/status"]
verbs: ["get", "list", "update", "watch", "patch"]
# This is needed by k8schain to support fetching pull secrets attached to pod specs
# or their service accounts. If pull secrets aren't used, the "secrets" below can
# be safely dropped, but the logic will fetch the service account to check for pull
# secrets.
- apiGroups: [""]
resources: ["serviceaccounts", "secrets"]
verbs: ["get"]
================================================
FILE: config/200-role.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: policy-controller-namespace-rbac
namespace: cosign-system
rules:
# Needed to watch and load configuration and secret data.
- apiGroups: [""]
resources: ["configmaps", "secrets"]
verbs: ["get", "list", "update", "watch"]
# Needed for leader election
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
# This is needed to create / patch ConfigMap that is created by the reconciler
# to consolidate various CIP configuration into a policy ConfigMap.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["config-image-policies"]
verbs: ["get", "list", "create", "update", "patch", "watch"]
# This is needed to create / patch ConfigMap that is created by the reconciler
# to consolidate various TrustRoot configuration into SigstoreKeys ConfigMap.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["config-sigstore-keys"]
verbs: ["get", "list", "create", "update", "patch", "watch"]
================================================
FILE: config/200-serviceaccount.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: webhook
namespace: cosign-system
================================================
FILE: config/201-clusterrolebinding.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: policy-controller-webhook
subjects:
- kind: ServiceAccount
name: webhook
namespace: cosign-system
roleRef:
kind: ClusterRole
name: policy-controller-rbac
apiGroup: rbac.authorization.k8s.io
================================================
FILE: config/201-rolebinding.yaml
================================================
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: policy-controller-webhook
namespace: cosign-system
subjects:
- kind: ServiceAccount
name: webhook
namespace: cosign-system
roleRef:
kind: Role
name: policy-controller-namespace-rbac
apiGroup: rbac.authorization.k8s.io
================================================
FILE: config/300-clusterimagepolicy.yaml
================================================
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterimagepolicies.policy.sigstore.dev
spec:
conversion:
strategy: Webhook
webhook:
conversionReviewVersions: ["v1beta1", "v1alpha1"]
clientConfig:
service:
name: webhook
namespace: cosign-system
group: policy.sigstore.dev
names:
kind: ClusterImagePolicy
plural: clusterimagepolicies
singular: clusterimagepolicy
categories:
- all
- sigstore
shortNames:
- cip
scope: Cluster
versions:
- name: v1alpha1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
properties:
spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
properties:
authorities:
description: Authorities defines the rules for discovering and validating signatures.
type: array
items:
type: object
properties:
attestations:
description: Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified.
type: array
items:
type: object
properties:
name:
description: Name of the attestation. These can then be referenced at the CIP level policy.
type: string
policy:
description: Policy defines all of the matching signatures, and all of the matching attestations (whose attestations are verified).
type: object
properties:
configMapRef:
description: ConfigMapRef defines the reference to a configMap with the policy definition.
type: object
properties:
key:
description: Key defines the key to pull from the configmap.
type: string
name:
description: Name is unique within a namespace to reference a configmap resource.
type: string
namespace:
description: Namespace defines the space within which the configmap name must be unique.
type: string
data:
description: Data contains the policy definition.
type: string
fetchConfigFile:
description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md'
type: boolean
includeObjectMeta:
description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.
type: boolean
includeSpec:
description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy.
type: boolean
includeTypeMeta:
description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.
type: boolean
remote:
description: Remote defines the url to a policy.
type: object
properties:
sha256sum:
description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.
type: string
url:
description: URL to the policy data.
type: string
type:
description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
type: string
predicateType:
description: PredicateType defines which predicate type to verify. Matches cosign verify-attestation options.
type: string
ctlog:
description: CTLog sets the configuration to verify the authority against a Rekor instance.
type: object
properties:
trustRootRef:
description: Use the Public Key from the referred TrustRoot.TLog
type: string
url:
description: URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
type: string
key:
description: Key defines the type of key to validate the image.
type: object
properties:
data:
description: Data contains the inline public key.
type: string
hashAlgorithm:
description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
type: string
kms:
description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.
type: string
secretRef:
description: SecretRef sets a reference to a secret with the key.
type: object
properties:
name:
description: name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
type: string
keyless:
description: Keyless sets the configuration to verify the authority against a Fulcio instance.
type: object
properties:
ca-cert:
description: CACert sets a reference to CA certificate
type: object
properties:
data:
description: Data contains the inline public key.
type: string
hashAlgorithm:
description: HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set
type: string
kms:
description: KMS contains the KMS url of the public key Supported formats differ based on the KMS system used.
type: string
secretRef:
description: SecretRef sets a reference to a secret with the key.
type: object
properties:
name:
description: name is unique within a namespace to reference a secret resource.
type: string
namespace:
description: namespace defines the space within which the secret name must be unique.
type: string
identities:
description: Identities sets a list of identities.
type: array
items:
type: object
properties:
issuer:
description: Issuer defines the issuer for this identity.
type: string
issuerRegExp:
description: IssuerRegExp specifies a regular expression to match the issuer for this identity.
type: string
subject:
description: Subject defines the subject for this identity.
type: string
subjectRegExp:
description: SubjectRegExp specifies a regular expression to match the subject for this identity.
type: string
insecureIgnoreSCT:
description: InsecureIgnoreSCT omits verifying if a certificate contains an embedded SCT
type: boolean
trustRootRef:
description: Use the Certificate Chain from the referred TrustRoot.CertificateAuthorities and TrustRoot.CTLog
type: string
url:
description: URL defines a url to the keyless instance.
type: string
name:
description: Name is the name for this authority. Used by the CIP Policy validator to be able to reference matching signature or attestation verifications. If not specified, the name will be authority-<index in array>
type: string
rfc3161timestamp:
description: RFC3161Timestamp sets the configuration to verify the signature timestamp against a RFC3161 time-stamping instance.
type: object
properties:
trustRootRef:
description: Use the Certificate Chain from the referred TrustRoot.TimeStampAuthorities
type: string
signatureFormat:
description: SignatureFormat specifies the format the authority expects. Supported formats are "legacy" and "bundle". If not specified, the default is "legacy" (cosign's default).
type: string
source:
description: Sources sets the configuration to specify the sources from where to consume the signatures.
type: array
items:
type: object
properties:
oci:
description: OCI defines the registry from where to pull the signature / attestations.
type: string
signaturePullSecrets:
description: SignaturePullSecrets is an optional list of references to secrets in the same namespace as the deploying resource for pulling any of the signatures used by this Source.
type: array
items:
type: object
properties:
name:
description: 'Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
tagPrefix:
description: TagPrefix is an optional prefix that signature and attestations have. This is the 'tag based discovery' and in the future once references are fully supported that should likely be the preferred way to handle these.
type: string
static:
description: Static specifies that signatures / attestations are not validated but instead a static policy is applied against matching images.
type: object
properties:
action:
description: Action defines how to handle a matching policy.
type: string
message:
description: For fail actions, emit an optional custom message
type: string
images:
description: Images defines the patterns of image names that should be subject to this policy.
type: array
items:
type: object
properties:
glob:
description: Glob defines a globbing pattern.
type: string
match:
description: Match allows selecting resources based on their properties.
type: array
items:
type: object
properties:
group:
type: string
resource:
type: string
selector:
type: object
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
type: array
items:
type: object
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
type: array
items:
type: string
matchLabels:
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
x-kubernetes-preserve-unknown-fields: true
version:
type: string
mode:
description: Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings. enforce - Reject (default) warn - allow but warn
type: string
policy:
description: Policy is an optional policy that can be applied against all the successfully validated Authorities. If no authorities pass, this does not even get evaluated, as the Policy is considered failed.
type: object
properties:
configMapRef:
description: ConfigMapRef defines the reference to a configMap with the policy definition.
type: object
properties:
key:
description: Key defines the key to pull from the configmap.
type: string
name:
description: Name is unique within a namespace to reference a configmap resource.
type: string
namespace:
description: Namespace defines the space within which the configmap name must be unique.
type: string
data:
description: Data contains the policy definition.
type: string
fetchConfigFile:
description: 'FetchConfigFile controls whether ConfigFile will be fetched and made available for CIP level policy evaluation. Note that this only gets evaluated (and hence fetched) iff at least one authority matches. The ConfigFile will then be available in this format: https://github.com/opencontainers/image-spec/blob/main/config.md'
type: boolean
includeObjectMeta:
description: IncludeObjectMeta controls whether the ObjectMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.
type: boolean
includeSpec:
description: IncludeSpec controls whether resource `Spec` will be included and made available for CIP level policy evaluation. Note that this only gets evaluated iff at least one authority matches. Also note that because Spec may be of a different shape depending on the resource being evaluatied (see MatchResource for filtering) you might want to configure these to match the policy file to ensure the shape of the Spec is what you expect when evaling the policy.
type: boolean
includeTypeMeta:
description: IncludeTypeMeta controls whether the TypeMeta will be included and made available for CIP level policy evalutation. Note that this only gets evaluated iff at least one authority matches.
type: boolean
remote:
description: Remote defines the url to a policy.
type: object
properties:
sha256sum:
description: Sha256sum defines the exact sha256sum computed out of the 'body' of the http response.
type: string
url:
description: URL to the policy data.
type: string
type:
description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
type: string
status:
description: Status represents the current state of the ClusterImagePolicy. This data may be out of date.
type: object
properties:
annotations:
description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
type: object
x-kubernetes-preserve-unknown-fields: true
conditions:
description: Conditions the latest available observations of a resource's current state.
type: array
items:
type: object
required:
- type
- status
properties:
lastTransitionTime:
description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
type: string
message:
description: A human readable message indicating details about the transition.
type: string
reason:
description: The reason for the condition's last transition.
type: string
severity:
description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
type: string
status:
description: Status of the condition, one of True, False, Unknown.
type: string
type:
description: Type of condition.
type: string
observedGeneration:
description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
type: integer
format: int64
- name: v1beta1
served: true
storage: false
subresources:
status: {}
schema:
openAPIV3Schema:
type: object
properties:
spec:
description: Spec holds the desired state of the ClusterImagePolicy (from the client).
type: object
properties:
authorities:
description: Authorities defines the rules for discovering and validating signatures.
type: array
items:
type: object
properties:
attestations:
description: Attestations is a list of individual attestations for this authority, once the signature for this authority has been verified.
type: array
items:
gitextract_s9p6qnqm/
├── .gitattributes
├── .github/
│ ├── dependabot.yml
│ └── workflows/
│ ├── build.yaml
│ ├── codeql-analysis.yml
│ ├── depsreview.yml
│ ├── donotsubmit.yaml
│ ├── kind-cluster-image-policy-no-tuf.yaml
│ ├── kind-cluster-image-policy-trustroot.yaml
│ ├── kind-cluster-image-policy-tsa.yaml
│ ├── kind-cluster-image-policy.yaml
│ ├── kind-e2e-cosigned.yaml
│ ├── kind-e2e-trustroot-crd.yaml
│ ├── lint.yaml
│ ├── milestone.yaml
│ ├── policy-tester-examples.yml
│ ├── release-snapshot.yaml
│ ├── release.yaml
│ ├── scorecard_action.yml
│ ├── style.yaml
│ ├── tests.yaml
│ ├── verify-codegen.yaml
│ ├── verify-docs.yaml
│ └── whitespace.yaml
├── .gitignore
├── .golangci.yml
├── .goreleaser.yaml
├── .ko.yaml
├── CHANGELOG.md
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── COPYRIGHT.txt
├── LICENSE
├── Makefile
├── README.md
├── cmd/
│ ├── api-docs/
│ │ └── main.go
│ ├── local-dev/
│ │ ├── clean.go
│ │ ├── main.go
│ │ ├── root.go
│ │ └── setup.go
│ ├── sample/
│ │ └── main.go
│ ├── schema/
│ │ └── main.go
│ ├── tester/
│ │ ├── main.go
│ │ └── trustroot.go
│ └── webhook/
│ ├── depcheck_test.go
│ └── main.go
├── config/
│ ├── 100-namespace.yaml
│ ├── 200-clusterrole.yaml
│ ├── 200-role.yaml
│ ├── 200-serviceaccount.yaml
│ ├── 201-clusterrolebinding.yaml
│ ├── 201-rolebinding.yaml
│ ├── 300-clusterimagepolicy.yaml
│ ├── 300-trustroot.yaml
│ ├── 400-webhook-service.yaml
│ ├── 500-webhook-configuration.yaml
│ ├── 501-policy-webhook-configurations.yaml
│ ├── config-image-policies.yaml
│ ├── config-leader-election.yaml
│ ├── config-logging.yaml
│ ├── config-observability.yaml
│ ├── config-policy-controller.yaml
│ ├── config-sigstore-keys.yaml
│ ├── dummy.go
│ ├── kustomization.yaml
│ └── webhook.yaml
├── docs/
│ └── api-types/
│ ├── index-v1alpha1.md
│ └── index.md
├── examples/
│ ├── README.md
│ ├── keys/
│ │ ├── cosign.key
│ │ └── cosign.pub
│ ├── policies/
│ │ ├── allow-only-pods.yaml
│ │ ├── custom-key-attestation-sbom-spdxjson.yaml
│ │ ├── keyless-attestation-sbom-spdxjson.yaml
│ │ ├── release-signed-by-github-actions.yaml
│ │ ├── signed-by-aws-kms-key.yaml
│ │ ├── signed-by-gcp-kms-key.yaml
│ │ └── signed-by-github-actions.yaml
│ └── sboms/
│ └── example.spdx.json
├── go.mod
├── go.sum
├── hack/
│ ├── boilerplate/
│ │ └── boilerplate.go.txt
│ ├── gentestdata/
│ │ └── gentestdata.go
│ ├── github-oidc-setup.sh
│ ├── tools.go
│ ├── update-codegen.sh
│ └── update-deps.sh
├── images/
│ └── dot/
│ └── signatures.dot
├── pkg/
│ ├── apis/
│ │ ├── config/
│ │ │ ├── doc.go
│ │ │ ├── image_policies.go
│ │ │ ├── image_policies_test.go
│ │ │ ├── sigstore_keys.go
│ │ │ ├── sigstore_keys_test.go
│ │ │ ├── store.go
│ │ │ ├── store_test.go
│ │ │ └── testdata/
│ │ │ ├── config-image-policies.yaml
│ │ │ ├── config-invalid-image-policy.yaml
│ │ │ └── config-sigstore-keys.yaml
│ │ ├── duck/
│ │ │ └── v1beta1/
│ │ │ ├── doc.go
│ │ │ ├── podscalable_defaults.go
│ │ │ ├── podscalable_defaults_test.go
│ │ │ ├── podscalable_implements_test.go
│ │ │ ├── podscalable_types.go
│ │ │ ├── podscalable_types_test.go
│ │ │ ├── podscalable_validation.go
│ │ │ ├── podscalable_validation_test.go
│ │ │ ├── register.go
│ │ │ └── zz_generated.deepcopy.go
│ │ ├── glob/
│ │ │ ├── glob.go
│ │ │ └── glob_test.go
│ │ ├── policy/
│ │ │ ├── common/
│ │ │ │ ├── validation.go
│ │ │ │ └── validation_test.go
│ │ │ ├── register.go
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy_conversion.go
│ │ │ │ ├── clusterimagepolicy_conversion_test.go
│ │ │ │ ├── clusterimagepolicy_defaults.go
│ │ │ │ ├── clusterimagepolicy_defaults_test.go
│ │ │ │ ├── clusterimagepolicy_lifecycle.go
│ │ │ │ ├── clusterimagepolicy_lifecycle_test.go
│ │ │ │ ├── clusterimagepolicy_types.go
│ │ │ │ ├── clusterimagepolicy_validation.go
│ │ │ │ ├── clusterimagepolicy_validation_test.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── register.go
│ │ │ │ ├── trustroot_defaults.go
│ │ │ │ ├── trustroot_defaults_test.go
│ │ │ │ ├── trustroot_lifecycle.go
│ │ │ │ ├── trustroot_types.go
│ │ │ │ ├── trustroot_validation.go
│ │ │ │ ├── trustroot_validation_test.go
│ │ │ │ └── zz_generated.deepcopy.go
│ │ │ └── v1beta1/
│ │ │ ├── clusterimagepolicy_conversion.go
│ │ │ ├── clusterimagepolicy_conversion_test.go
│ │ │ ├── clusterimagepolicy_defaults.go
│ │ │ ├── clusterimagepolicy_defaults_test.go
│ │ │ ├── clusterimagepolicy_lifecycle.go
│ │ │ ├── clusterimagepolicy_types.go
│ │ │ ├── clusterimagepolicy_validation.go
│ │ │ ├── clusterimagepolicy_validation_test.go
│ │ │ ├── doc.go
│ │ │ ├── register.go
│ │ │ └── zz_generated.deepcopy.go
│ │ └── signaturealgo/
│ │ ├── signature_digest.go
│ │ └── signature_digest_test.go
│ ├── client/
│ │ ├── clientset/
│ │ │ └── versioned/
│ │ │ ├── clientset.go
│ │ │ ├── doc.go
│ │ │ ├── fake/
│ │ │ │ ├── clientset_generated.go
│ │ │ │ ├── doc.go
│ │ │ │ └── register.go
│ │ │ ├── scheme/
│ │ │ │ ├── doc.go
│ │ │ │ └── register.go
│ │ │ └── typed/
│ │ │ ├── duck/
│ │ │ │ └── v1beta1/
│ │ │ │ ├── doc.go
│ │ │ │ ├── duck_client.go
│ │ │ │ ├── fake/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ └── fake_duck_client.go
│ │ │ │ └── generated_expansion.go
│ │ │ └── policy/
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ ├── doc.go
│ │ │ │ ├── fake/
│ │ │ │ │ ├── doc.go
│ │ │ │ │ ├── fake_clusterimagepolicy.go
│ │ │ │ │ ├── fake_policy_client.go
│ │ │ │ │ └── fake_trustroot.go
│ │ │ │ ├── generated_expansion.go
│ │ │ │ ├── policy_client.go
│ │ │ │ └── trustroot.go
│ │ │ └── v1beta1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── doc.go
│ │ │ ├── fake/
│ │ │ │ ├── doc.go
│ │ │ │ ├── fake_clusterimagepolicy.go
│ │ │ │ └── fake_policy_client.go
│ │ │ ├── generated_expansion.go
│ │ │ └── policy_client.go
│ │ ├── informers/
│ │ │ └── externalversions/
│ │ │ ├── factory.go
│ │ │ ├── generic.go
│ │ │ ├── internalinterfaces/
│ │ │ │ └── factory_interfaces.go
│ │ │ └── policy/
│ │ │ ├── interface.go
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ ├── interface.go
│ │ │ │ └── trustroot.go
│ │ │ └── v1beta1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ └── interface.go
│ │ ├── injection/
│ │ │ ├── client/
│ │ │ │ ├── client.go
│ │ │ │ └── fake/
│ │ │ │ └── fake.go
│ │ │ ├── ducks/
│ │ │ │ └── duck/
│ │ │ │ └── v1beta1/
│ │ │ │ └── podscalable/
│ │ │ │ ├── fake/
│ │ │ │ │ └── fake.go
│ │ │ │ └── podscalable.go
│ │ │ ├── informers/
│ │ │ │ ├── factory/
│ │ │ │ │ ├── factory.go
│ │ │ │ │ ├── fake/
│ │ │ │ │ │ └── fake.go
│ │ │ │ │ └── filtered/
│ │ │ │ │ ├── fake/
│ │ │ │ │ │ └── fake_filtered_factory.go
│ │ │ │ │ └── filtered_factory.go
│ │ │ │ └── policy/
│ │ │ │ ├── v1alpha1/
│ │ │ │ │ ├── clusterimagepolicy/
│ │ │ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ │ │ ├── fake/
│ │ │ │ │ │ │ └── fake.go
│ │ │ │ │ │ └── filtered/
│ │ │ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ │ │ └── fake/
│ │ │ │ │ │ └── fake.go
│ │ │ │ │ └── trustroot/
│ │ │ │ │ ├── fake/
│ │ │ │ │ │ └── fake.go
│ │ │ │ │ ├── filtered/
│ │ │ │ │ │ ├── fake/
│ │ │ │ │ │ │ └── fake.go
│ │ │ │ │ │ └── trustroot.go
│ │ │ │ │ └── trustroot.go
│ │ │ │ └── v1beta1/
│ │ │ │ └── clusterimagepolicy/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ ├── fake/
│ │ │ │ │ └── fake.go
│ │ │ │ └── filtered/
│ │ │ │ ├── clusterimagepolicy.go
│ │ │ │ └── fake/
│ │ │ │ └── fake.go
│ │ │ └── reconciler/
│ │ │ └── policy/
│ │ │ ├── v1alpha1/
│ │ │ │ ├── clusterimagepolicy/
│ │ │ │ │ ├── controller.go
│ │ │ │ │ ├── reconciler.go
│ │ │ │ │ └── state.go
│ │ │ │ └── trustroot/
│ │ │ │ ├── controller.go
│ │ │ │ ├── reconciler.go
│ │ │ │ └── state.go
│ │ │ └── v1beta1/
│ │ │ └── clusterimagepolicy/
│ │ │ ├── controller.go
│ │ │ ├── reconciler.go
│ │ │ └── state.go
│ │ └── listers/
│ │ └── policy/
│ │ ├── v1alpha1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── expansion_generated.go
│ │ │ └── trustroot.go
│ │ └── v1beta1/
│ │ ├── clusterimagepolicy.go
│ │ └── expansion_generated.go
│ ├── config/
│ │ ├── store.go
│ │ ├── store_test.go
│ │ └── testdata/
│ │ ├── allow-all.yaml
│ │ ├── allow-empty-authorities.yaml
│ │ ├── deny-all-default.yaml
│ │ ├── deny-all-explicit.yaml
│ │ ├── enable-oci11-invalid.yaml
│ │ ├── enable-oci11.yaml
│ │ └── warn-all.yaml
│ ├── policy/
│ │ ├── README.md
│ │ ├── parse.go
│ │ ├── parse_test.go
│ │ ├── policy.go
│ │ ├── policy_test.go
│ │ ├── validate.go
│ │ ├── validate_test.go
│ │ ├── verifier.go
│ │ └── verifier_test.go
│ ├── reconciler/
│ │ ├── clusterimagepolicy/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── clusterimagepolicy_test.go
│ │ │ ├── controller.go
│ │ │ ├── controller_test.go
│ │ │ └── resources/
│ │ │ └── configmap.go
│ │ ├── testing/
│ │ │ └── v1alpha1/
│ │ │ ├── clusterimagepolicy.go
│ │ │ ├── factory.go
│ │ │ ├── listers.go
│ │ │ └── trustroot.go
│ │ └── trustroot/
│ │ ├── controller.go
│ │ ├── controller_test.go
│ │ ├── resources/
│ │ │ └── configmap.go
│ │ ├── testdata/
│ │ │ ├── ctfeLogID.txt
│ │ │ ├── ctfePublicKey.pem
│ │ │ ├── fulcioCert.pem
│ │ │ ├── fulcioCertChain.pem
│ │ │ ├── marshalledEntry.json
│ │ │ ├── marshalledEntryFromMirrorFS.json
│ │ │ ├── rekorLogID.txt
│ │ │ ├── rekorPublicKey.pem
│ │ │ ├── root.json
│ │ │ ├── rootWithCustomTrustedRootJSON.json
│ │ │ ├── rootWithTrustedRootJSON.json
│ │ │ ├── testdata.go
│ │ │ └── tsaCertChain.pem
│ │ ├── trustroot.go
│ │ └── trustroot_test.go
│ ├── tuf/
│ │ ├── context.go
│ │ ├── context_test.go
│ │ ├── repo.go
│ │ └── repo_test.go
│ └── webhook/
│ ├── cache.go
│ ├── clusterimagepolicy/
│ │ └── clusterimagepolicy_types.go
│ ├── nocache.go
│ ├── registryauth/
│ │ ├── azure/
│ │ │ └── acrhelper.go
│ │ └── registryauth.go
│ ├── testdata/
│ │ └── cert.pem
│ ├── validation.go
│ ├── validator.go
│ ├── validator_result.go
│ └── validator_test.go
├── release/
│ ├── README.md
│ ├── ko-sign-release-images.sh
│ ├── ldflags.sh
│ └── release.mk
├── test/
│ ├── cert_utils.go
│ ├── ci.mk
│ ├── cmd/
│ │ └── getoidctoken/
│ │ └── main.go
│ ├── config/
│ │ └── gettoken/
│ │ └── gettoken.yaml
│ ├── e2e_test_cluster_image_policy.sh
│ ├── e2e_test_cluster_image_policy_from_configmap_with_fetch_config_file.sh
│ ├── e2e_test_cluster_image_policy_from_url.sh
│ ├── e2e_test_cluster_image_policy_no_tuf.sh
│ ├── e2e_test_cluster_image_policy_with_attestations.sh
│ ├── e2e_test_cluster_image_policy_with_attestations_rego.sh
│ ├── e2e_test_cluster_image_policy_with_fetch_config_file.sh
│ ├── e2e_test_cluster_image_policy_with_include_objectmeta.sh
│ ├── e2e_test_cluster_image_policy_with_include_spec.sh
│ ├── e2e_test_cluster_image_policy_with_include_typemeta.sh
│ ├── e2e_test_cluster_image_policy_with_oci11_attestations.sh
│ ├── e2e_test_cluster_image_policy_with_source.sh
│ ├── e2e_test_cluster_image_policy_with_trustroot_bring_own_keys.sh
│ ├── e2e_test_cluster_image_policy_with_trustroot_remote.sh
│ ├── e2e_test_cluster_image_policy_with_trustroot_repository.sh
│ ├── e2e_test_cluster_image_policy_with_tsa.sh
│ ├── e2e_test_cluster_image_policy_with_warn.sh
│ ├── e2e_test_cluster_with_scalable.sh
│ ├── e2e_test_policy_controller.sh
│ ├── e2e_test_policy_crd.sh
│ ├── e2e_test_trustroot_crd.sh
│ ├── kustomize/
│ │ └── kustomization.yaml
│ ├── kustomize-no-tuf/
│ │ └── kustomization.yaml
│ └── testdata/
│ ├── attestations/
│ │ └── vuln-predicate.json
│ ├── bom-go-mod.spdx
│ ├── fancy_from.Dockerfile
│ ├── policies/
│ │ ├── cue-fails.cue
│ │ ├── cue-policy-config.cue
│ │ ├── cue-vuln-fails.cue
│ │ ├── cue-vuln-works.cue
│ │ └── cue-works.cue
│ ├── resources/
│ │ ├── job.yaml
│ │ └── pod.yaml
│ ├── signed_manifest.yaml
│ ├── single_stage.Dockerfile
│ ├── test.wasm
│ ├── test_blob_cert.pem
│ ├── test_blob_private_key
│ ├── test_blob_public_key
│ ├── trustroot/
│ │ ├── e2e/
│ │ │ ├── bring-your-own-keys.yaml
│ │ │ ├── with-remote.yaml
│ │ │ ├── with-repository.yaml
│ │ │ └── with-tsa.yaml
│ │ ├── golden/
│ │ │ ├── ctfe.pem
│ │ │ ├── fulcio.crt.pem
│ │ │ ├── rekor.pem
│ │ │ └── tsa.crt.pem
│ │ └── valid/
│ │ └── valid-sigstore-keys.yaml
│ ├── unsigned_build_stage.Dockerfile
│ ├── unsigned_manifest.yaml
│ ├── with_arg.Dockerfile
│ └── with_lowercase.Dockerfile
└── third_party/
└── VENDOR-LICENSE/
├── cloud.google.com/
│ └── go/
│ ├── auth/
│ │ ├── LICENSE
│ │ └── oauth2adapt/
│ │ └── LICENSE
│ ├── compute/
│ │ └── metadata/
│ │ └── LICENSE
│ ├── iam/
│ │ └── LICENSE
│ ├── kms/
│ │ └── LICENSE
│ └── longrunning/
│ └── LICENSE
├── contrib.go.opencensus.io/
│ └── exporter/
│ ├── ocagent/
│ │ └── LICENSE
│ └── prometheus/
│ └── LICENSE
├── cuelang.org/
│ └── go/
│ └── LICENSE
├── github.com/
│ ├── AliyunContainerService/
│ │ └── ack-ram-tool/
│ │ └── pkg/
│ │ └── credentials/
│ │ └── provider/
│ │ └── LICENSE
│ ├── Azure/
│ │ ├── azure-sdk-for-go/
│ │ │ ├── LICENSE.txt
│ │ │ ├── NOTICE.txt
│ │ │ └── sdk/
│ │ │ ├── azcore/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── azidentity/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── internal/
│ │ │ │ └── LICENSE.txt
│ │ │ └── security/
│ │ │ └── keyvault/
│ │ │ ├── azkeys/
│ │ │ │ └── LICENSE.txt
│ │ │ └── internal/
│ │ │ └── LICENSE.txt
│ │ └── go-autorest/
│ │ ├── autorest/
│ │ │ ├── LICENSE
│ │ │ ├── adal/
│ │ │ │ └── LICENSE
│ │ │ ├── azure/
│ │ │ │ ├── auth/
│ │ │ │ │ └── LICENSE
│ │ │ │ └── cli/
│ │ │ │ └── LICENSE
│ │ │ └── date/
│ │ │ └── LICENSE
│ │ ├── logger/
│ │ │ └── LICENSE
│ │ └── tracing/
│ │ └── LICENSE
│ ├── AzureAD/
│ │ └── microsoft-authentication-library-for-go/
│ │ └── apps/
│ │ └── LICENSE
│ ├── LICENSE
│ ├── agnivade/
│ │ └── levenshtein/
│ │ └── License.txt
│ ├── alibabacloud-go/
│ │ ├── alibabacloud-gateway-spi/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ ├── cr-20181201/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ ├── darabonba-openapi/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ ├── debug/
│ │ │ └── debug/
│ │ │ └── LICENSE
│ │ ├── endpoint-util/
│ │ │ └── service/
│ │ │ └── LICENSE
│ │ ├── openapi-util/
│ │ │ └── service/
│ │ │ └── LICENSE
│ │ ├── tea/
│ │ │ └── LICENSE
│ │ ├── tea-utils/
│ │ │ └── service/
│ │ │ └── LICENSE
│ │ └── tea-xml/
│ │ └── service/
│ │ └── LICENSE
│ ├── aliyun/
│ │ └── credentials-go/
│ │ └── credentials/
│ │ └── LICENSE
│ ├── asaskevich/
│ │ └── govalidator/
│ │ └── LICENSE
│ ├── aws/
│ │ ├── aws-sdk-go-v2/
│ │ │ ├── LICENSE.txt
│ │ │ ├── NOTICE.txt
│ │ │ ├── config/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── credentials/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── feature/
│ │ │ │ └── ec2/
│ │ │ │ └── imds/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── internal/
│ │ │ │ ├── configsources/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ ├── endpoints/
│ │ │ │ │ └── v2/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ ├── ini/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ └── sync/
│ │ │ │ └── singleflight/
│ │ │ │ └── LICENSE
│ │ │ └── service/
│ │ │ ├── ecr/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── ecrpublic/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── internal/
│ │ │ │ ├── accept-encoding/
│ │ │ │ │ └── LICENSE.txt
│ │ │ │ └── presigned-url/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── kms/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── signin/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── sso/
│ │ │ │ └── LICENSE.txt
│ │ │ ├── ssooidc/
│ │ │ │ └── LICENSE.txt
│ │ │ └── sts/
│ │ │ └── LICENSE.txt
│ │ └── smithy-go/
│ │ ├── LICENSE
│ │ ├── NOTICE
│ │ └── internal/
│ │ └── sync/
│ │ └── singleflight/
│ │ └── LICENSE
│ ├── awslabs/
│ │ └── amazon-ecr-credential-helper/
│ │ └── ecr-login/
│ │ └── LICENSE
│ ├── beorn7/
│ │ └── perks/
│ │ └── quantile/
│ │ └── LICENSE
│ ├── blang/
│ │ └── semver/
│ │ ├── LICENSE
│ │ └── v4/
│ │ └── LICENSE
│ ├── blendle/
│ │ └── zapdriver/
│ │ └── LICENSE
│ ├── cenkalti/
│ │ └── backoff/
│ │ ├── v4/
│ │ │ └── LICENSE
│ │ └── v5/
│ │ └── LICENSE
│ ├── census-instrumentation/
│ │ └── opencensus-proto/
│ │ └── gen-go/
│ │ └── LICENSE
│ ├── cespare/
│ │ └── xxhash/
│ │ └── v2/
│ │ └── LICENSE.txt
│ ├── chrismellard/
│ │ └── docker-credential-acr-env/
│ │ └── pkg/
│ │ └── LICENSE
│ ├── clbanning/
│ │ └── mxj/
│ │ └── v2/
│ │ └── LICENSE
│ ├── cockroachdb/
│ │ └── apd/
│ │ └── v3/
│ │ └── LICENSE
│ ├── common-nighthawk/
│ │ └── go-figure/
│ │ └── LICENSE
│ ├── containerd/
│ │ ├── errdefs/
│ │ │ ├── LICENSE
│ │ │ └── pkg/
│ │ │ └── LICENSE
│ │ └── stargz-snapshotter/
│ │ └── estargz/
│ │ └── LICENSE
│ ├── coreos/
│ │ └── go-oidc/
│ │ └── v3/
│ │ └── oidc/
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── cyberphone/
│ │ └── json-canonicalization/
│ │ └── go/
│ │ └── src/
│ │ └── webpki.org/
│ │ └── jsoncanonicalizer/
│ │ └── LICENSE
│ ├── davecgh/
│ │ └── go-spew/
│ │ └── spew/
│ │ └── LICENSE
│ ├── digitorus/
│ │ ├── pkcs7/
│ │ │ └── LICENSE
│ │ └── timestamp/
│ │ └── LICENSE
│ ├── dimchansky/
│ │ └── utfbom/
│ │ └── LICENSE
│ ├── distribution/
│ │ └── reference/
│ │ └── LICENSE
│ ├── docker/
│ │ ├── cli/
│ │ │ └── cli/
│ │ │ └── config/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── distribution/
│ │ │ └── registry/
│ │ │ └── client/
│ │ │ └── auth/
│ │ │ └── challenge/
│ │ │ └── LICENSE
│ │ ├── docker/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── docker-credential-helpers/
│ │ │ └── LICENSE
│ │ ├── go-connections/
│ │ │ └── LICENSE
│ │ └── go-units/
│ │ └── LICENSE
│ ├── dustin/
│ │ └── go-humanize/
│ │ └── LICENSE
│ ├── emicklei/
│ │ ├── go-restful/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ └── proto/
│ │ └── LICENSE
│ ├── evanphx/
│ │ └── json-patch/
│ │ └── v5/
│ │ └── LICENSE
│ ├── felixge/
│ │ └── httpsnoop/
│ │ └── LICENSE.txt
│ ├── fsnotify/
│ │ └── fsnotify/
│ │ └── LICENSE
│ ├── fxamacker/
│ │ └── cbor/
│ │ └── v2/
│ │ └── LICENSE
│ ├── go-chi/
│ │ └── chi/
│ │ └── v5/
│ │ └── LICENSE
│ ├── go-ini/
│ │ └── ini/
│ │ └── LICENSE
│ ├── go-jose/
│ │ └── go-jose/
│ │ └── v4/
│ │ ├── LICENSE
│ │ └── json/
│ │ └── LICENSE
│ ├── go-kit/
│ │ └── log/
│ │ └── LICENSE
│ ├── go-logfmt/
│ │ └── logfmt/
│ │ └── LICENSE
│ ├── go-logr/
│ │ ├── logr/
│ │ │ └── LICENSE
│ │ └── stdr/
│ │ └── LICENSE
│ ├── go-openapi/
│ │ ├── analysis/
│ │ │ └── LICENSE
│ │ ├── errors/
│ │ │ └── LICENSE
│ │ ├── jsonpointer/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── jsonreference/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── loads/
│ │ │ └── LICENSE
│ │ ├── runtime/
│ │ │ ├── LICENSE
│ │ │ └── middleware/
│ │ │ └── denco/
│ │ │ └── LICENSE
│ │ ├── spec/
│ │ │ └── LICENSE
│ │ ├── strfmt/
│ │ │ └── LICENSE
│ │ ├── swag/
│ │ │ ├── LICENSE
│ │ │ ├── cmdutils/
│ │ │ │ └── LICENSE
│ │ │ ├── conv/
│ │ │ │ └── LICENSE
│ │ │ ├── fileutils/
│ │ │ │ └── LICENSE
│ │ │ ├── jsonname/
│ │ │ │ └── LICENSE
│ │ │ ├── jsonutils/
│ │ │ │ └── LICENSE
│ │ │ ├── loading/
│ │ │ │ └── LICENSE
│ │ │ ├── mangling/
│ │ │ │ └── LICENSE
│ │ │ ├── netutils/
│ │ │ │ └── LICENSE
│ │ │ ├── stringutils/
│ │ │ │ └── LICENSE
│ │ │ ├── typeutils/
│ │ │ │ └── LICENSE
│ │ │ └── yamlutils/
│ │ │ └── LICENSE
│ │ └── validate/
│ │ └── LICENSE
│ ├── go-viper/
│ │ └── mapstructure/
│ │ └── v2/
│ │ └── LICENSE
│ ├── gobuffalo/
│ │ └── flect/
│ │ └── LICENSE
│ ├── gobwas/
│ │ └── glob/
│ │ └── LICENSE
│ ├── gogo/
│ │ └── protobuf/
│ │ └── LICENSE
│ ├── golang/
│ │ ├── groupcache/
│ │ │ └── lru/
│ │ │ └── LICENSE
│ │ ├── protobuf/
│ │ │ └── ptypes/
│ │ │ └── timestamp/
│ │ │ └── LICENSE
│ │ └── snappy/
│ │ └── LICENSE
│ ├── golang-jwt/
│ │ └── jwt/
│ │ ├── v4/
│ │ │ └── LICENSE
│ │ └── v5/
│ │ └── LICENSE
│ ├── google/
│ │ ├── certificate-transparency-go/
│ │ │ └── LICENSE
│ │ ├── gnostic-models/
│ │ │ └── LICENSE
│ │ ├── go-cmp/
│ │ │ └── cmp/
│ │ │ └── LICENSE
│ │ ├── go-containerregistry/
│ │ │ ├── LICENSE
│ │ │ └── pkg/
│ │ │ └── authn/
│ │ │ ├── k8schain/
│ │ │ │ └── LICENSE
│ │ │ └── kubernetes/
│ │ │ └── LICENSE
│ │ ├── go-github/
│ │ │ └── v73/
│ │ │ └── github/
│ │ │ └── LICENSE
│ │ ├── go-querystring/
│ │ │ └── query/
│ │ │ └── LICENSE
│ │ ├── s2a-go/
│ │ │ └── LICENSE.md
│ │ └── uuid/
│ │ └── LICENSE
│ ├── googleapis/
│ │ ├── enterprise-certificate-proxy/
│ │ │ └── client/
│ │ │ └── LICENSE
│ │ └── gax-go/
│ │ └── v2/
│ │ └── LICENSE
│ ├── grpc-ecosystem/
│ │ └── grpc-gateway/
│ │ └── v2/
│ │ └── LICENSE
│ ├── hashicorp/
│ │ ├── errwrap/
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ └── errwrap.go
│ │ ├── go-cleanhttp/
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── cleanhttp.go
│ │ │ ├── doc.go
│ │ │ └── handlers.go
│ │ ├── go-multierror/
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── append.go
│ │ │ ├── flatten.go
│ │ │ ├── format.go
│ │ │ ├── group.go
│ │ │ ├── multierror.go
│ │ │ ├── prefix.go
│ │ │ └── sort.go
│ │ ├── go-retryablehttp/
│ │ │ ├── .gitignore
│ │ │ ├── .go-version
│ │ │ ├── .golangci.yml
│ │ │ ├── CHANGELOG.md
│ │ │ ├── CODEOWNERS
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── cert_error_go119.go
│ │ │ ├── cert_error_go120.go
│ │ │ ├── client.go
│ │ │ └── roundtripper.go
│ │ ├── go-rootcerts/
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── doc.go
│ │ │ ├── rootcerts.go
│ │ │ ├── rootcerts_base.go
│ │ │ └── rootcerts_darwin.go
│ │ ├── go-secure-stdlib/
│ │ │ ├── parseutil/
│ │ │ │ ├── LICENSE
│ │ │ │ ├── normalize.go
│ │ │ │ ├── parsepath.go
│ │ │ │ └── parseutil.go
│ │ │ └── strutil/
│ │ │ ├── LICENSE
│ │ │ └── strutil.go
│ │ ├── go-sockaddr/
│ │ │ ├── .gitignore
│ │ │ ├── GNUmakefile
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── doc.go
│ │ │ ├── ifaddr.go
│ │ │ ├── ifaddrs.go
│ │ │ ├── ifattr.go
│ │ │ ├── ipaddr.go
│ │ │ ├── ipaddrs.go
│ │ │ ├── ipv4addr.go
│ │ │ ├── ipv6addr.go
│ │ │ ├── rfc.go
│ │ │ ├── route_info.go
│ │ │ ├── route_info_aix.go
│ │ │ ├── route_info_android.go
│ │ │ ├── route_info_bsd.go
│ │ │ ├── route_info_default.go
│ │ │ ├── route_info_linux.go
│ │ │ ├── route_info_solaris.go
│ │ │ ├── route_info_test_windows.go
│ │ │ ├── route_info_windows.go
│ │ │ ├── sockaddr.go
│ │ │ ├── sockaddrs.go
│ │ │ └── unixsock.go
│ │ ├── golang-lru/
│ │ │ ├── .gitignore
│ │ │ ├── .golangci.yml
│ │ │ ├── 2q.go
│ │ │ ├── LICENSE
│ │ │ ├── README.md
│ │ │ ├── arc.go
│ │ │ ├── doc.go
│ │ │ ├── lru.go
│ │ │ ├── simplelru/
│ │ │ │ ├── lru.go
│ │ │ │ └── lru_interface.go
│ │ │ └── testing.go
│ │ ├── hcl/
│ │ │ ├── .gitignore
│ │ │ ├── .travis.yml
│ │ │ ├── LICENSE
│ │ │ ├── Makefile
│ │ │ ├── README.md
│ │ │ ├── appveyor.yml
│ │ │ ├── decoder.go
│ │ │ ├── hcl/
│ │ │ │ ├── ast/
│ │ │ │ │ ├── ast.go
│ │ │ │ │ └── walk.go
│ │ │ │ ├── parser/
│ │ │ │ │ ├── error.go
│ │ │ │ │ └── parser.go
│ │ │ │ ├── scanner/
│ │ │ │ │ └── scanner.go
│ │ │ │ ├── strconv/
│ │ │ │ │ └── quote.go
│ │ │ │ └── token/
│ │ │ │ ├── position.go
│ │ │ │ └── token.go
│ │ │ ├── hcl.go
│ │ │ ├── json/
│ │ │ │ ├── parser/
│ │ │ │ │ ├── flatten.go
│ │ │ │ │ └── parser.go
│ │ │ │ ├── scanner/
│ │ │ │ │ └── scanner.go
│ │ │ │ └── token/
│ │ │ │ ├── position.go
│ │ │ │ └── token.go
│ │ │ ├── lex.go
│ │ │ └── parse.go
│ │ └── vault/
│ │ └── api/
│ │ ├── .copywrite.hcl
│ │ ├── LICENSE
│ │ ├── README.md
│ │ ├── auth.go
│ │ ├── auth_token.go
│ │ ├── cliconfig/
│ │ │ ├── config.go
│ │ │ ├── hcl_dup_attr_deprecation.go
│ │ │ └── util.go
│ │ ├── client.go
│ │ ├── hcl_dup_attr_deprecation.go
│ │ ├── help.go
│ │ ├── kv.go
│ │ ├── kv_v1.go
│ │ ├── kv_v2.go
│ │ ├── lifetime_watcher.go
│ │ ├── logical.go
│ │ ├── logical_requests.go
│ │ ├── output_policy.go
│ │ ├── output_string.go
│ │ ├── plugin_helpers.go
│ │ ├── plugin_runtime_types.go
│ │ ├── plugin_types.go
│ │ ├── pluginruntimetype_enumer.go
│ │ ├── renewbehavior_enumer.go
│ │ ├── replication_status.go
│ │ ├── request.go
│ │ ├── response.go
│ │ ├── secret.go
│ │ ├── ssh.go
│ │ ├── ssh_agent.go
│ │ ├── sudo_paths.go
│ │ ├── sys.go
│ │ ├── sys_audit.go
│ │ ├── sys_auth.go
│ │ ├── sys_capabilities.go
│ │ ├── sys_config_cors.go
│ │ ├── sys_generate_root.go
│ │ ├── sys_hastatus.go
│ │ ├── sys_health.go
│ │ ├── sys_init.go
│ │ ├── sys_leader.go
│ │ ├── sys_leases.go
│ │ ├── sys_mfa.go
│ │ ├── sys_monitor.go
│ │ ├── sys_mounts.go
│ │ ├── sys_plugins.go
│ │ ├── sys_plugins_runtimes.go
│ │ ├── sys_policy.go
│ │ ├── sys_raft.go
│ │ ├── sys_rekey.go
│ │ ├── sys_rotate.go
│ │ ├── sys_seal.go
│ │ ├── sys_stepdown.go
│ │ ├── sys_ui_custom_message.go
│ │ ├── sys_utilization_report.go
│ │ └── tokenhelper/
│ │ ├── helper.go
│ │ ├── helper_external.go
│ │ ├── helper_internal.go
│ │ └── testing.go
│ ├── in-toto/
│ │ ├── attestation/
│ │ │ └── go/
│ │ │ └── v1/
│ │ │ └── LICENSE
│ │ └── in-toto-golang/
│ │ └── in_toto/
│ │ └── LICENSE
│ ├── jedisct1/
│ │ └── go-minisign/
│ │ └── LICENSE
│ ├── jellydator/
│ │ └── ttlcache/
│ │ └── v3/
│ │ └── LICENSE
│ ├── json-iterator/
│ │ └── go/
│ │ └── LICENSE
│ ├── kelseyhightower/
│ │ └── envconfig/
│ │ └── LICENSE
│ ├── klauspost/
│ │ └── compress/
│ │ ├── LICENSE
│ │ ├── internal/
│ │ │ └── snapref/
│ │ │ └── LICENSE
│ │ └── zstd/
│ │ └── internal/
│ │ └── xxhash/
│ │ └── LICENSE.txt
│ ├── kylelemons/
│ │ └── godebug/
│ │ └── LICENSE
│ ├── lestrrat-go/
│ │ ├── blackmagic/
│ │ │ └── LICENSE
│ │ ├── dsig/
│ │ │ └── LICENSE
│ │ ├── httpcc/
│ │ │ └── LICENSE
│ │ ├── httprc/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ ├── jwx/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ └── option/
│ │ ├── LICENSE
│ │ └── v2/
│ │ └── LICENSE
│ ├── letsencrypt/
│ │ └── boulder/
│ │ ├── LICENSE.txt
│ │ ├── core/
│ │ │ ├── challenges.go
│ │ │ ├── interfaces.go
│ │ │ ├── objects.go
│ │ │ ├── proto/
│ │ │ │ ├── core.pb.go
│ │ │ │ └── core.proto
│ │ │ └── util.go
│ │ ├── goodkey/
│ │ │ └── good_key.go
│ │ ├── identifier/
│ │ │ └── identifier.go
│ │ ├── probs/
│ │ │ └── probs.go
│ │ └── revocation/
│ │ └── reasons.go
│ ├── mitchellh/
│ │ ├── go-homedir/
│ │ │ └── LICENSE
│ │ ├── go-wordwrap/
│ │ │ └── LICENSE.md
│ │ └── mapstructure/
│ │ └── LICENSE
│ ├── moby/
│ │ ├── docker-image-spec/
│ │ │ └── specs-go/
│ │ │ └── v1/
│ │ │ └── LICENSE
│ │ └── term/
│ │ └── LICENSE
│ ├── modern-go/
│ │ ├── concurrent/
│ │ │ └── LICENSE
│ │ └── reflect2/
│ │ └── LICENSE
│ ├── mozillazg/
│ │ └── docker-credential-acr-helper/
│ │ └── pkg/
│ │ └── LICENSE
│ ├── munnerz/
│ │ └── goautoneg/
│ │ └── LICENSE
│ ├── natefinch/
│ │ └── atomic/
│ │ └── LICENSE
│ ├── nozzle/
│ │ └── throttler/
│ │ └── LICENSE
│ ├── oklog/
│ │ └── ulid/
│ │ └── LICENSE
│ ├── open-policy-agent/
│ │ └── opa/
│ │ ├── LICENSE
│ │ └── internal/
│ │ ├── edittree/
│ │ │ └── bitvector/
│ │ │ └── license.txt
│ │ ├── gojsonschema/
│ │ │ └── LICENSE-APACHE-2.0.txt
│ │ └── semver/
│ │ └── LICENSE
│ ├── opencontainers/
│ │ ├── go-digest/
│ │ │ └── LICENSE
│ │ └── image-spec/
│ │ └── specs-go/
│ │ └── LICENSE
│ ├── pelletier/
│ │ └── go-toml/
│ │ └── v2/
│ │ └── LICENSE
│ ├── pkg/
│ │ ├── browser/
│ │ │ └── LICENSE
│ │ └── errors/
│ │ └── LICENSE
│ ├── pmezard/
│ │ └── go-difflib/
│ │ └── difflib/
│ │ └── LICENSE
│ ├── prometheus/
│ │ ├── client_golang/
│ │ │ ├── internal/
│ │ │ │ └── github.com/
│ │ │ │ └── golang/
│ │ │ │ └── gddo/
│ │ │ │ └── httputil/
│ │ │ │ └── LICENSE
│ │ │ └── prometheus/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── client_model/
│ │ │ └── go/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── common/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ ├── procfs/
│ │ │ ├── LICENSE
│ │ │ └── NOTICE
│ │ └── statsd_exporter/
│ │ └── pkg/
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── protocolbuffers/
│ │ └── txtpbfmt/
│ │ └── LICENSE
│ ├── rcrowley/
│ │ └── go-metrics/
│ │ └── LICENSE
│ ├── ryanuber/
│ │ └── go-glob/
│ │ └── LICENSE
│ ├── sagikazarmark/
│ │ └── locafero/
│ │ └── LICENSE
│ ├── sassoftware/
│ │ └── relic/
│ │ └── lib/
│ │ └── LICENSE
│ ├── secure-systems-lab/
│ │ └── go-securesystemslib/
│ │ └── LICENSE
│ ├── shibumi/
│ │ └── go-pathspec/
│ │ └── LICENSE
│ ├── sigstore/
│ │ ├── cosign/
│ │ │ └── v3/
│ │ │ └── LICENSE
│ │ ├── protobuf-specs/
│ │ │ └── gen/
│ │ │ └── pb-go/
│ │ │ └── LICENSE
│ │ ├── rekor/
│ │ │ └── pkg/
│ │ │ └── LICENSE
│ │ ├── rekor-tiles/
│ │ │ └── v2/
│ │ │ └── LICENSE
│ │ ├── scaffolding/
│ │ │ └── pkg/
│ │ │ └── repo/
│ │ │ └── LICENSE
│ │ ├── sigstore/
│ │ │ └── pkg/
│ │ │ ├── LICENSE
│ │ │ └── signature/
│ │ │ └── kms/
│ │ │ ├── aws/
│ │ │ │ └── LICENSE
│ │ │ ├── azure/
│ │ │ │ └── LICENSE
│ │ │ ├── gcp/
│ │ │ │ └── LICENSE
│ │ │ └── hashivault/
│ │ │ └── LICENSE
│ │ ├── sigstore-go/
│ │ │ └── pkg/
│ │ │ └── LICENSE
│ │ └── timestamp-authority/
│ │ └── v2/
│ │ └── pkg/
│ │ └── verification/
│ │ └── LICENSE
│ ├── sirupsen/
│ │ └── logrus/
│ │ └── LICENSE
│ ├── sourcegraph/
│ │ └── conc/
│ │ └── LICENSE
│ ├── spf13/
│ │ ├── afero/
│ │ │ └── LICENSE.txt
│ │ ├── cast/
│ │ │ └── LICENSE
│ │ ├── cobra/
│ │ │ └── LICENSE.txt
│ │ ├── pflag/
│ │ │ └── LICENSE
│ │ └── viper/
│ │ └── LICENSE
│ ├── subosito/
│ │ └── gotenv/
│ │ └── LICENSE
│ ├── syndtr/
│ │ └── goleveldb/
│ │ └── leveldb/
│ │ └── LICENSE
│ ├── tchap/
│ │ └── go-patricia/
│ │ └── v2/
│ │ └── patricia/
│ │ └── LICENSE
│ ├── theupdateframework/
│ │ └── go-tuf/
│ │ ├── LICENSE
│ │ └── v2/
│ │ └── metadata/
│ │ ├── LICENSE
│ │ └── NOTICE
│ ├── titanous/
│ │ └── rocacheck/
│ │ └── LICENSE
│ ├── tjfoc/
│ │ └── gmsm/
│ │ └── sm3/
│ │ └── LICENSE
│ ├── transparency-dev/
│ │ ├── formats/
│ │ │ └── log/
│ │ │ └── LICENSE
│ │ └── merkle/
│ │ └── LICENSE
│ ├── valyala/
│ │ └── fastjson/
│ │ └── LICENSE
│ ├── vbatts/
│ │ └── tar-split/
│ │ └── archive/
│ │ └── tar/
│ │ └── LICENSE
│ ├── vektah/
│ │ └── gqlparser/
│ │ └── v2/
│ │ └── LICENSE
│ ├── x448/
│ │ └── float16/
│ │ └── LICENSE
│ ├── xeipuuv/
│ │ ├── gojsonpointer/
│ │ │ └── LICENSE-APACHE-2.0.txt
│ │ └── gojsonreference/
│ │ └── LICENSE-APACHE-2.0.txt
│ └── yashtewari/
│ └── glob-intersection/
│ └── LICENSE
├── gitlab.com/
│ └── gitlab-org/
│ └── api/
│ └── client-go/
│ └── LICENSE
├── go.mongodb.org/
│ └── mongo-driver/
│ └── LICENSE
├── go.opencensus.io/
│ └── LICENSE
├── go.opentelemetry.io/
│ ├── auto/
│ │ └── sdk/
│ │ └── LICENSE
│ ├── contrib/
│ │ └── instrumentation/
│ │ ├── google.golang.org/
│ │ │ └── grpc/
│ │ │ └── otelgrpc/
│ │ │ └── LICENSE
│ │ └── net/
│ │ └── http/
│ │ └── otelhttp/
│ │ └── LICENSE
│ └── otel/
│ ├── LICENSE
│ ├── metric/
│ │ └── LICENSE
│ ├── sdk/
│ │ └── LICENSE
│ └── trace/
│ └── LICENSE
├── go.uber.org/
│ ├── atomic/
│ │ └── LICENSE.txt
│ ├── automaxprocs/
│ │ └── LICENSE
│ ├── multierr/
│ │ └── LICENSE.txt
│ └── zap/
│ └── LICENSE
├── go.yaml.in/
│ └── yaml/
│ ├── v2/
│ │ ├── LICENSE
│ │ └── NOTICE
│ └── v3/
│ ├── LICENSE
│ └── NOTICE
├── golang.org/
│ └── x/
│ ├── crypto/
│ │ └── LICENSE
│ ├── mod/
│ │ └── LICENSE
│ ├── net/
│ │ └── LICENSE
│ ├── oauth2/
│ │ └── LICENSE
│ ├── sync/
│ │ └── LICENSE
│ ├── sys/
│ │ └── LICENSE
│ ├── term/
│ │ └── LICENSE
│ ├── text/
│ │ └── LICENSE
│ └── time/
│ └── rate/
│ └── LICENSE
├── gomodules.xyz/
│ └── jsonpatch/
│ └── v2/
│ └── LICENSE
├── google.golang.org/
│ ├── api/
│ │ ├── LICENSE
│ │ └── internal/
│ │ └── third_party/
│ │ └── uritemplates/
│ │ └── LICENSE
│ ├── genproto/
│ │ └── googleapis/
│ │ ├── LICENSE
│ │ ├── api/
│ │ │ └── LICENSE
│ │ └── rpc/
│ │ └── LICENSE
│ ├── grpc/
│ │ ├── LICENSE
│ │ └── NOTICE.txt
│ └── protobuf/
│ └── LICENSE
├── gopkg.in/
│ ├── evanphx/
│ │ └── json-patch.v4/
│ │ └── LICENSE
│ ├── inf.v0/
│ │ └── LICENSE
│ ├── ini.v1/
│ │ └── LICENSE
│ ├── yaml.v2/
│ │ ├── LICENSE
│ │ └── NOTICE
│ └── yaml.v3/
│ ├── LICENSE
│ └── NOTICE
├── k8s.io/
│ ├── api/
│ │ └── LICENSE
│ ├── apiextensions-apiserver/
│ │ └── pkg/
│ │ └── LICENSE
│ ├── apimachinery/
│ │ ├── pkg/
│ │ │ └── LICENSE
│ │ └── third_party/
│ │ └── forked/
│ │ └── golang/
│ │ └── LICENSE
│ ├── client-go/
│ │ └── LICENSE
│ ├── klog/
│ │ └── v2/
│ │ └── LICENSE
│ ├── kube-openapi/
│ │ └── pkg/
│ │ ├── LICENSE
│ │ ├── internal/
│ │ │ └── third_party/
│ │ │ └── go-json-experiment/
│ │ │ └── json/
│ │ │ └── LICENSE
│ │ └── validation/
│ │ └── spec/
│ │ └── LICENSE
│ └── utils/
│ ├── LICENSE
│ └── internal/
│ └── third_party/
│ └── forked/
│ └── golang/
│ └── LICENSE
├── knative.dev/
│ ├── hack/
│ │ └── schema/
│ │ └── LICENSE
│ └── pkg/
│ └── LICENSE
└── sigs.k8s.io/
├── json/
│ └── LICENSE
├── randfill/
│ ├── LICENSE
│ └── NOTICE
├── release-utils/
│ └── version/
│ └── LICENSE
├── structured-merge-diff/
│ └── v6/
│ └── LICENSE
└── yaml/
└── LICENSE
Showing preview only (281K chars total). Download the full file or copy to clipboard to get everything.
SYMBOL INDEX (2945 symbols across 290 files)
FILE: cmd/api-docs/main.go
constant headerTemplate (line 32) | headerTemplate = `
function main (line 52) | func main() {
function toSectionLink (line 56) | func toSectionLink(name string) string {
function printTOC (line 62) | func printTOC(types []KubeTypes) {
function printAPIDocs (line 72) | func printAPIDocs(version string, paths []string) {
type Pair (line 115) | type Pair struct
type KubeTypes (line 121) | type KubeTypes
function ParseDocumentationFrom (line 127) | func ParseDocumentationFrom(srcs []string) []KubeTypes {
function astFrom (line 157) | func astFrom(filePath string) *doc.Package {
function fmtRawDoc (line 173) | func fmtRawDoc(rawDoc string) string {
function toLink (line 214) | func toLink(typeName string) string {
function wrapInLink (line 228) | func wrapInLink(text, link string) string {
function fieldName (line 234) | func fieldName(field *ast.Field) string {
function fieldRequired (line 254) | func fieldRequired(field *ast.Field) bool {
function fieldType (line 264) | func fieldType(typ ast.Expr) string {
FILE: cmd/local-dev/clean.go
function addCleanFlags (line 32) | func addCleanFlags(cmd *cobra.Command) {
function init (line 36) | func init() {
function clean (line 56) | func clean() {
function cleanUpRegistry (line 74) | func cleanUpRegistry() error {
FILE: cmd/local-dev/main.go
function main (line 18) | func main() {
FILE: cmd/local-dev/root.go
function Execute (line 31) | func Execute() {
FILE: cmd/local-dev/setup.go
constant localRegistryName (line 38) | localRegistryName = "registry.local"
constant localRegistryPort (line 39) | localRegistryPort = 5001
constant defaultKindestNodeVersionTag (line 40) | defaultKindestNodeVersionTag = "v1.27.3"
function addSetupFlags (line 63) | func addSetupFlags(cmd *cobra.Command) {
function buildFatalMessage (line 84) | func buildFatalMessage(err error, stderr bytes.Buffer) string {
function setup (line 88) | func setup() {
function createKindConfig (line 185) | func createKindConfig(clusterName, k8sVersion string) (string, error) {
function setupLocalRegistry (line 195) | func setupLocalRegistry() error {
function init (line 233) | func init() {
FILE: cmd/sample/main.go
function main (line 20) | func main() {
FILE: cmd/schema/main.go
function main (line 28) | func main() {
FILE: cmd/tester/main.go
type output (line 43) | type output struct
type LogLevel (line 48) | type LogLevel
constant LevelDebug (line 51) | LevelDebug LogLevel = "debug"
constant LevelInfo (line 52) | LevelInfo LogLevel = "info"
constant LevelWarn (line 53) | LevelWarn LogLevel = "warn"
constant LevelError (line 54) | LevelError LogLevel = "error"
function getSugaredLogger (line 57) | func getSugaredLogger(value string) (*zap.SugaredLogger, error) {
function setSugaredLogger (line 67) | func setSugaredLogger(logLevel LogLevel) (*zap.SugaredLogger, error) {
function main (line 91) | func main() {
FILE: cmd/tester/trustroot.go
function GetKeysFromTrustRoot (line 28) | func GetKeysFromTrustRoot(ctx context.Context, tr *v1alpha1.TrustRoot) (...
FILE: cmd/webhook/depcheck_test.go
function TestNoDeps (line 24) | func TestNoDeps(t *testing.T) {
FILE: cmd/webhook/main.go
function main (line 108) | func main() {
type crdNoStatusUpdatesOrDeletes (line 171) | type crdNoStatusUpdatesOrDeletes struct
method SupportedSubResources (line 179) | func (c *crdNoStatusUpdatesOrDeletes) SupportedSubResources() []string {
method SupportedVerbs (line 188) | func (c *crdNoStatusUpdatesOrDeletes) SupportedVerbs() []admissionregi...
type crdEphemeralContainers (line 175) | type crdEphemeralContainers struct
method SupportedSubResources (line 184) | func (c *crdEphemeralContainers) SupportedSubResources() []string {
method SupportedVerbs (line 195) | func (c *crdEphemeralContainers) SupportedVerbs() []admissionregistrat...
function NewValidatingAdmissionController (line 223) | func NewValidatingAdmissionController(ctx context.Context, cmw configmap...
function NewMutatingAdmissionController (line 272) | func NewMutatingAdmissionController(ctx context.Context, _ configmap.Wat...
function NewPolicyValidatingAdmissionController (line 309) | func NewPolicyValidatingAdmissionController(ctx context.Context, cmw con...
function NewPolicyMutatingAdmissionController (line 337) | func NewPolicyMutatingAdmissionController(ctx context.Context, _ configm...
function newConversionController (line 358) | func newConversionController(ctx context.Context, _ configmap.Watcher) *...
FILE: hack/gentestdata/gentestdata.go
function main (line 61) | func main() {
function mustWriteFile (line 125) | func mustWriteFile(path string, data []byte) {
function genPK (line 132) | func genPK() ([]byte, string) {
function genCertChain (line 155) | func genCertChain(keyUsage x509.KeyUsage) [][]byte {
function genTrustRoot (line 199) | func genTrustRoot(sigstoreKeysMap map[string]string) (marshalledEntry []...
function populateLogIDs (line 212) | func populateLogIDs(sigstoreKeys *config.SigstoreKeys) error {
function genLogID (line 230) | func genLogID(pkBytes []byte) (string, error) {
function genTUFRepo (line 238) | func genTUFRepo(files map[string][]byte) ([]byte, []byte, error) {
function genTrustedRoot (line 261) | func genTrustedRoot(sigstoreKeysMap map[string]string) ([]byte, error) {
FILE: pkg/apis/config/image_policies.go
constant ImagePoliciesConfigName (line 36) | ImagePoliciesConfigName = "config-image-policies"
type ImagePolicyConfig (line 39) | type ImagePolicyConfig struct
method GetMatchingPolicies (line 86) | func (p *ImagePolicyConfig) GetMatchingPolicies(image string, kind, ap...
function NewImagePoliciesConfigFromMap (line 47) | func NewImagePoliciesConfigFromMap(data map[string]string) (*ImagePolicy...
function NewImagePoliciesConfigFromConfigMap (line 70) | func NewImagePoliciesConfigFromConfigMap(config *corev1.ConfigMap) (*Ima...
function parseEntry (line 74) | func parseEntry(entry string, out interface{}) error {
FILE: pkg/apis/config/image_policies_test.go
constant inlineKeyData (line 32) | inlineKeyData = `-----BEGIN PUBLIC KEY-----
function TestDefaultsConfigurationFromFile (line 38) | func TestDefaultsConfigurationFromFile(t *testing.T) {
function TestGetAuthorities (line 45) | func TestGetAuthorities(t *testing.T) {
function TestFailsToLoadInvalid (line 243) | func TestFailsToLoadInvalid(t *testing.T) {
function checkGetMatches (line 254) | func checkGetMatches(t *testing.T, c map[string]webhookcip.ClusterImageP...
function checkPublicKey (line 270) | func checkPublicKey(t *testing.T, gotKey crypto.PublicKey) {
function checkSourceOCI (line 290) | func checkSourceOCI(t *testing.T, authority []webhookcip.Authority) {
function checkUIDAndResourceVersion (line 306) | func checkUIDAndResourceVersion(t *testing.T, cipName string, cip webhoo...
FILE: pkg/apis/config/sigstore_keys.go
constant SigstoreKeysConfigName (line 42) | SigstoreKeysConfigName = "config-sigstore-keys"
type SigstoreKeysMap (line 58) | type SigstoreKeysMap struct
function NewSigstoreKeysFromMap (line 63) | func NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, e...
function NewSigstoreKeysFromConfigMap (line 86) | func NewSigstoreKeysFromConfigMap(config *corev1.ConfigMap) (*SigstoreKe...
function parseSigstoreKeys (line 90) | func parseSigstoreKeys(entry string, out *pbtrustroot.TrustedRoot) error {
function ConvertSigstoreKeys (line 100) | func ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKey...
function ConvertCertificateAuthority (line 138) | func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) (...
function ConvertTransparencyLogInstance (line 160) | func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInsta...
function HashStringToHashAlgorithm (line 180) | func HashStringToHashAlgorithm(hash string) pbcommon.HashAlgorithm {
function SerializeCertChain (line 193) | func SerializeCertChain(certChain *pbcommon.X509CertificateChain) []byte {
function SerializePublicKey (line 206) | func SerializePublicKey(publicKey *pbcommon.PublicKey) []byte {
function DeserializeCertChain (line 214) | func DeserializeCertChain(chain []byte) (*pbcommon.X509CertificateChain,...
function DeserializePublicKey (line 227) | func DeserializePublicKey(publicKey []byte) (*pbcommon.PublicKey, crypto...
FILE: pkg/apis/config/sigstore_keys_test.go
constant rekorPublicKey (line 27) | rekorPublicKey = `-----BEGIN PUBLIC KEY-----
constant tsaCertChain (line 32) | tsaCertChain = `-----BEGIN CERTIFICATE-----
function TestDefaultsSigstoreKeysConfigurationFromFile (line 69) | func TestDefaultsSigstoreKeysConfigurationFromFile(t *testing.T) {
FILE: pkg/apis/config/store.go
type cfgKey (line 24) | type cfgKey struct
type Config (line 28) | type Config struct
function FromContext (line 34) | func FromContext(ctx context.Context) *Config {
function FromContextOrDefaults (line 44) | func FromContextOrDefaults(ctx context.Context) *Config {
function ToContext (line 58) | func ToContext(ctx context.Context, c *Config) context.Context {
type Store (line 64) | type Store struct
method ToContext (line 86) | func (s *Store) ToContext(ctx context.Context) context.Context {
method Load (line 91) | func (s *Store) Load() *Config {
function NewStore (line 69) | func NewStore(logger configmap.Logger, onAfterStore ...func(name string,...
FILE: pkg/apis/config/store_test.go
function TestStoreLoadWithContext (line 38) | func TestStoreLoadWithContext(t *testing.T) {
function TestStoreLoadWithContextOrDefaults (line 63) | func TestStoreLoadWithContextOrDefaults(t *testing.T) {
FILE: pkg/apis/duck/v1beta1/podscalable_defaults.go
type PodScalableDefaulter (line 23) | type PodScalableDefaulter
method SetDefaults (line 26) | func (ps *PodScalable) SetDefaults(ctx context.Context) {
type psdKey (line 33) | type psdKey struct
function WithPodScalableDefaulter (line 35) | func WithPodScalableDefaulter(ctx context.Context, psd PodScalableDefaul...
function GetPodScalableDefaulter (line 40) | func GetPodScalableDefaulter(ctx context.Context) PodScalableDefaulter {
FILE: pkg/apis/duck/v1beta1/podscalable_defaults_test.go
function TestPodScalableDefaulting (line 28) | func TestPodScalableDefaulting(t *testing.T) {
FILE: pkg/apis/duck/v1beta1/podscalable_implements_test.go
function TestImplementsPodScalable (line 26) | func TestImplementsPodScalable(t *testing.T) {
FILE: pkg/apis/duck/v1beta1/podscalable_types.go
type PodScalable (line 35) | type PodScalable struct
method GetFullType (line 65) | func (*PodScalable) GetFullType() duck.Populatable {
method Populate (line 70) | func (ps *PodScalable) Populate() {
method GetListType (line 103) | func (*PodScalable) GetListType() runtime.Object {
method IsScalingDown (line 108) | func (ps *PodScalable) IsScalingDown(ctx context.Context) bool {
type PodScalableSpec (line 45) | type PodScalableSpec struct
type PodScalableStatus (line 53) | type PodScalableStatus struct
type PodScalableList (line 124) | type PodScalableList struct
FILE: pkg/apis/duck/v1beta1/podscalable_types_test.go
function TestPodScalableIsScalingDown (line 27) | func TestPodScalableIsScalingDown(t *testing.T) {
FILE: pkg/apis/duck/v1beta1/podscalable_validation.go
type PodScalableValidator (line 25) | type PodScalableValidator
method Validate (line 28) | func (ps *PodScalable) Validate(ctx context.Context) *apis.FieldError {
type psvKey (line 36) | type psvKey struct
function WithPodScalableValidator (line 38) | func WithPodScalableValidator(ctx context.Context, psv PodScalableValida...
function GetPodScalableValidator (line 43) | func GetPodScalableValidator(ctx context.Context) PodScalableValidator {
FILE: pkg/apis/duck/v1beta1/podscalable_validation_test.go
function TestPodScalableValidation (line 27) | func TestPodScalableValidation(t *testing.T) {
FILE: pkg/apis/duck/v1beta1/register.go
function Kind (line 30) | func Kind(kind string) schema.GroupKind {
function Resource (line 35) | func Resource(resource string) schema.GroupResource {
function addKnownTypes (line 47) | func addKnownTypes(scheme *runtime.Scheme) error {
FILE: pkg/apis/duck/v1beta1/zz_generated.deepcopy.go
method DeepCopyInto (line 28) | func (in *PodScalable) DeepCopyInto(out *PodScalable) {
method DeepCopy (line 38) | func (in *PodScalable) DeepCopy() *PodScalable {
method DeepCopyObject (line 48) | func (in *PodScalable) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 56) | func (in *PodScalableList) DeepCopyInto(out *PodScalableList) {
method DeepCopy (line 71) | func (in *PodScalableList) DeepCopy() *PodScalableList {
method DeepCopyObject (line 81) | func (in *PodScalableList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 89) | func (in *PodScalableSpec) DeepCopyInto(out *PodScalableSpec) {
method DeepCopy (line 106) | func (in *PodScalableSpec) DeepCopy() *PodScalableSpec {
method DeepCopyInto (line 116) | func (in *PodScalableStatus) DeepCopyInto(out *PodScalableStatus) {
method DeepCopy (line 122) | func (in *PodScalableStatus) DeepCopy() *PodScalableStatus {
FILE: pkg/apis/glob/glob.go
constant ResolvedDockerhubHost (line 27) | ResolvedDockerhubHost = "index.docker.io/"
constant DockerhubPublicRepository (line 30) | DockerhubPublicRepository = "library/"
function Compile (line 37) | func Compile(glob string) (*regexp.Regexp, error) {
function Match (line 79) | func Match(glob, image string) (bool, error) {
FILE: pkg/apis/glob/glob_test.go
function TestGlobMatch (line 21) | func TestGlobMatch(t *testing.T) {
FILE: pkg/apis/policy/common/validation.go
constant ociRepoDelimiter (line 35) | ociRepoDelimiter = "/"
function ValidateOCI (line 58) | func ValidateOCI(oci string) error {
function validAWSKMSRegex (line 99) | func validAWSKMSRegex(ref string) error {
function validateAWSKMS (line 117) | func validateAWSKMS(kms string) *apis.FieldError {
function ValidateKMS (line 154) | func ValidateKMS(kms string) *apis.FieldError {
FILE: pkg/apis/policy/common/validation_test.go
function TestValidateOCI (line 23) | func TestValidateOCI(t *testing.T) {
FILE: pkg/apis/policy/register.go
constant GroupName (line 21) | GroupName = "policy.sigstore.dev"
constant DuckGroupName (line 22) | DuckGroupName = "duck.policy.sigstore.dev"
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go
method ConvertTo (line 30) | func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Con...
method ConvertFrom (line 42) | func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.C...
method ConvertTo (line 53) | func (spec *ClusterImagePolicySpec) ConvertTo(ctx context.Context, sink ...
method ConvertTo (line 81) | func (matchResource *MatchResource) ConvertTo(_ context.Context, sink *v...
method ConvertTo (line 90) | func (authority *Authority) ConvertTo(ctx context.Context, sink *v1beta1...
method ConvertTo (line 151) | func (p *Policy) ConvertTo(_ context.Context, sink *v1beta1.Policy) {
method ConvertFrom (line 181) | func (p *Policy) ConvertFrom(_ context.Context, source *v1beta1.Policy) {
method ConvertTo (line 211) | func (key *KeyRef) ConvertTo(_ context.Context, sink *v1beta1.KeyRef) {
method ConvertFrom (line 218) | func (spec *ClusterImagePolicySpec) ConvertFrom(ctx context.Context, sou...
method ConvertFrom (line 246) | func (authority *Authority) ConvertFrom(ctx context.Context, source *v1b...
method ConvertFrom (line 307) | func (key *KeyRef) ConvertFrom(_ context.Context, source *v1beta1.KeyRef) {
method ConvertFrom (line 314) | func (matchResource *MatchResource) ConvertFrom(_ context.Context, sourc...
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion_test.go
function TestConversionRoundTripV1alpha1 (line 30) | func TestConversionRoundTripV1alpha1(t *testing.T) {
function TestConversionRoundTripV1beta1 (line 132) | func TestConversionRoundTripV1beta1(t *testing.T) {
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_defaults.go
method SetDefaults (line 25) | func (c *ClusterImagePolicy) SetDefaults(ctx context.Context) {
method SetDefaults (line 29) | func (spec *ClusterImagePolicySpec) SetDefaults(_ context.Context) {
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_defaults_test.go
function TestNameDefaulting (line 25) | func TestNameDefaulting(t *testing.T) {
function TestModeDefaulting (line 55) | func TestModeDefaulting(t *testing.T) {
function TestKeylessURLDefaulting (line 84) | func TestKeylessURLDefaulting(t *testing.T) {
function cipWithNames (line 123) | func cipWithNames(names []string) *ClusterImagePolicy {
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle.go
constant inlineKeysFailedReason (line 22) | inlineKeysFailedReason = "InliningKeysFailed"
constant inlinePoliciesFailedReason (line 23) | inlinePoliciesFailedReason = "InliningPoliciesFailed"
constant updateCMFailedReason (line 24) | updateCMFailedReason = "UpdatingConfigMap"
method GetConditionSet (line 35) | func (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet {
method IsReady (line 41) | func (c *ClusterImagePolicy) IsReady() bool {
method IsFailed (line 49) | func (c *ClusterImagePolicy) IsFailed() bool {
method InitializeConditions (line 56) | func (cs *ClusterImagePolicyStatus) InitializeConditions() {
method MarkInlineKeysFailed (line 62) | func (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string) {
method MarkInlineKeysOk (line 68) | func (cs *ClusterImagePolicyStatus) MarkInlineKeysOk() {
method MarkInlinePoliciesFailed (line 74) | func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string) {
method MarkInlinePoliciesOk (line 80) | func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk() {
method MarkCMUpdateFailed (line 86) | func (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string) {
method MarkCMUpdatedOK (line 91) | func (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK() {
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle_test.go
function TestClusterImagePolicyDuckTypes (line 26) | func TestClusterImagePolicyDuckTypes(t *testing.T) {
function TestClusterImagePolicyGetConditionSet (line 45) | func TestClusterImagePolicyGetConditionSet(t *testing.T) {
function TestClusterImagePolicyIsReady (line 53) | func TestClusterImagePolicyIsReady(t *testing.T) {
function TestClusterImagePolicyIsFailed (line 169) | func TestClusterImagePolicyIsFailed(t *testing.T) {
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go
type ClusterImagePolicy (line 33) | type ClusterImagePolicy struct
method GetGroupVersionKind (line 75) | func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersion...
method GetStatus (line 360) | func (c *ClusterImagePolicy) GetStatus() *duckv1.Status {
constant ClusterImagePolicyConditionReady (line 57) | ClusterImagePolicyConditionReady = apis.ConditionReady
constant ClusterImagePolicyConditionKeysInlined (line 62) | ClusterImagePolicyConditionKeysInlined apis.ConditionType = "KeysInlined"
constant ClusterImagePolicyConditionPoliciesInlined (line 67) | ClusterImagePolicyConditionPoliciesInlined apis.ConditionType = "Policie...
constant ClusterImagePolicyConditionCMUpdated (line 71) | ClusterImagePolicyConditionCMUpdated apis.ConditionType = "ConfigMapUpda...
type ClusterImagePolicySpec (line 80) | type ClusterImagePolicySpec struct
type ImagePattern (line 105) | type ImagePattern struct
type Authority (line 118) | type Authority struct
type KeyRef (line 156) | type KeyRef struct
type StaticRef (line 174) | type StaticRef struct
type Source (line 184) | type Source struct
type TLog (line 202) | type TLog struct
type KeylessRef (line 214) | type KeylessRef struct
type Attestation (line 235) | type Attestation struct
type MatchResource (line 249) | type MatchResource struct
type RemotePolicy (line 257) | type RemotePolicy struct
type Policy (line 267) | type Policy struct
type ConfigMapReference (line 310) | type ConfigMapReference struct
type Identity (line 326) | type Identity struct
type RFC3161Timestamp (line 343) | type RFC3161Timestamp struct
type ClusterImagePolicyStatus (line 351) | type ClusterImagePolicyStatus struct
type ClusterImagePolicyList (line 367) | type ClusterImagePolicyList struct
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go
method Validate (line 35) | func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldEr...
method Validate (line 43) | func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (error...
method Validate (line 71) | func (image *ImagePattern) Validate(_ context.Context) *apis.FieldError {
method Validate (line 78) | func (authority *Authority) Validate(ctx context.Context) *apis.FieldErr...
method Validate (line 134) | func (s *StaticRef) Validate(_ context.Context) *apis.FieldError {
method Validate (line 145) | func (matchResource *MatchResource) Validate(_ context.Context) *apis.Fi...
method Validate (line 158) | func (key *KeyRef) Validate(_ context.Context) *apis.FieldError {
method Validate (line 192) | func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 216) | func (source *Source) Validate(_ context.Context) *apis.FieldError {
method Validate (line 234) | func (a *Attestation) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 259) | func (cmr *ConfigMapReference) Validate(_ context.Context) *apis.FieldEr...
method Validate (line 270) | func (r *RemotePolicy) Validate(_ context.Context) *apis.FieldError {
method Validate (line 283) | func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 324) | func (identity *Identity) Validate(_ context.Context) *apis.FieldError {
function ValidateGlob (line 348) | func ValidateGlob(g string) *apis.FieldError {
function ValidateRegex (line 358) | func ValidateRegex(regex string) *apis.FieldError {
FILE: pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go
constant validPublicKey (line 31) | validPublicKey = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj...
function TestImagePatternValidation (line 33) | func TestImagePatternValidation(t *testing.T) {
function TestKeyValidation (line 137) | func TestKeyValidation(t *testing.T) {
function TestKeylessValidation (line 250) | func TestKeylessValidation(t *testing.T) {
function TestStaticValidation (line 354) | func TestStaticValidation(t *testing.T) {
function TestModeValidation (line 520) | func TestModeValidation(t *testing.T) {
function TestAuthoritiesValidation (line 555) | func TestAuthoritiesValidation(t *testing.T) {
function TestAttestationsValidation (line 1017) | func TestAttestationsValidation(t *testing.T) {
function TestIdentitiesValidation (line 1140) | func TestIdentitiesValidation(t *testing.T) {
function TestAWSKMSValidation (line 1385) | func TestAWSKMSValidation(t *testing.T) {
function TestMatchValidation (line 1452) | func TestMatchValidation(t *testing.T) {
function validateError (line 1610) | func validateError(t *testing.T, wantErrStr, wantWarnStr string, fe *api...
function TestIgnoreStatusUpdates (line 1631) | func TestIgnoreStatusUpdates(t *testing.T) {
FILE: pkg/apis/policy/v1alpha1/register.go
function Kind (line 29) | func Kind(kind string) schema.GroupKind {
function Resource (line 34) | func Resource(resource string) schema.GroupResource {
function addKnownTypes (line 46) | func addKnownTypes(scheme *runtime.Scheme) error {
FILE: pkg/apis/policy/v1alpha1/trustroot_defaults.go
method SetDefaults (line 20) | func (tr *TrustRoot) SetDefaults(ctx context.Context) {
method SetDefaults (line 24) | func (spec *TrustRootSpec) SetDefaults(_ context.Context) {
FILE: pkg/apis/policy/v1alpha1/trustroot_defaults_test.go
constant defaultTargets (line 23) | defaultTargets = "targets"
function TestTargetsDefaulting (line 25) | func TestTargetsDefaulting(t *testing.T) {
function trustrootWithTargets (line 55) | func trustrootWithTargets(repoTargets, remoteTargets string) *TrustRoot {
FILE: pkg/apis/policy/v1alpha1/trustroot_lifecycle.go
method GetConditionSet (line 28) | func (*TrustRoot) GetConditionSet() apis.ConditionSet {
method IsReady (line 34) | func (tr *TrustRoot) IsReady() bool {
method IsFailed (line 42) | func (tr *TrustRoot) IsFailed() bool {
method InitializeConditions (line 49) | func (ts *TrustRootStatus) InitializeConditions() {
method MarkInlineKeysFailed (line 55) | func (ts *TrustRootStatus) MarkInlineKeysFailed(msg string) {
method MarkInlineKeysOk (line 61) | func (ts *TrustRootStatus) MarkInlineKeysOk() {
method MarkCMUpdateFailed (line 67) | func (ts *TrustRootStatus) MarkCMUpdateFailed(msg string) {
method MarkCMUpdatedOK (line 72) | func (ts *TrustRootStatus) MarkCMUpdatedOK() {
FILE: pkg/apis/policy/v1alpha1/trustroot_types.go
type TrustRoot (line 34) | type TrustRoot struct
method GetGroupVersionKind (line 70) | func (tr *TrustRoot) GetGroupVersionKind() schema.GroupVersionKind {
method GetStatus (line 212) | func (tr *TrustRoot) GetStatus() *duckv1.Status {
constant TrustRootConditionReady (line 59) | TrustRootConditionReady = apis.ConditionReady
constant TrustRootConditionKeysInlined (line 63) | TrustRootConditionKeysInlined apis.ConditionType = "KeysInlined"
constant TrustRootConditionCMUpdated (line 66) | TrustRootConditionCMUpdated apis.ConditionType = "ConfigMapUpdated"
type TrustRootSpec (line 82) | type TrustRootSpec struct
type Remote (line 98) | type Remote struct
type Repository (line 119) | type Repository struct
type TransparencyLogInstance (line 147) | type TransparencyLogInstance struct
type DistinguishedName (line 156) | type DistinguishedName struct
type CertificateAuthority (line 161) | type CertificateAuthority struct
type SigstoreKeys (line 188) | type SigstoreKeys struct
type TrustRootStatus (line 203) | type TrustRootStatus struct
type TrustRootList (line 219) | type TrustRootList struct
FILE: pkg/apis/policy/v1alpha1/trustroot_validation.go
constant DefaultTUFRepoPrefix (line 32) | DefaultTUFRepoPrefix = "/repository/"
method Validate (line 35) | func (tr *TrustRoot) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 43) | func (spec *TrustRootSpec) Validate(ctx context.Context) (errors *apis.F...
method Validate (line 68) | func (repo *Repository) Validate(ctx context.Context) (errors *apis.Fiel...
method Validate (line 98) | func (remote *Remote) Validate(ctx context.Context) (errors *apis.FieldE...
method Validate (line 106) | func (sigstoreKeys *SigstoreKeys) Validate(ctx context.Context) (errors ...
function ValidateRoot (line 129) | func ValidateRoot(_ context.Context, rootJSON []byte) *apis.FieldError {
function ValidateCertificateAuthority (line 144) | func ValidateCertificateAuthority(ctx context.Context, ca CertificateAut...
function ValidateTimeStampAuthority (line 155) | func ValidateTimeStampAuthority(ctx context.Context, ca CertificateAutho...
function ValidateDistinguishedName (line 173) | func ValidateDistinguishedName(_ context.Context, dn DistinguishedName) ...
function ValidateTransparencyLogInstance (line 183) | func ValidateTransparencyLogInstance(_ context.Context, tli Transparency...
function SplitPEMCertificateChain (line 198) | func SplitPEMCertificateChain(pem []byte) (leaves, intermediates, roots ...
FILE: pkg/apis/policy/v1alpha1/trustroot_validation_test.go
function TestTrustRootValidation (line 50) | func TestTrustRootValidation(t *testing.T) {
function TestTimeStampAuthorityValidation (line 129) | func TestTimeStampAuthorityValidation(t *testing.T) {
function TestIgnoreStatusUpdatesTrustRoot (line 192) | func TestIgnoreStatusUpdatesTrustRoot(t *testing.T) {
FILE: pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go
method DeepCopyInto (line 30) | func (in *Attestation) DeepCopyInto(out *Attestation) {
method DeepCopy (line 41) | func (in *Attestation) DeepCopy() *Attestation {
method DeepCopyInto (line 51) | func (in *Authority) DeepCopyInto(out *Authority) {
method DeepCopy (line 96) | func (in *Authority) DeepCopy() *Authority {
method DeepCopyInto (line 106) | func (in *CertificateAuthority) DeepCopyInto(out *CertificateAuthority) {
method DeepCopy (line 119) | func (in *CertificateAuthority) DeepCopy() *CertificateAuthority {
method DeepCopyInto (line 129) | func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
method DeepCopy (line 139) | func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy {
method DeepCopyObject (line 149) | func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 157) | func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyLi...
method DeepCopy (line 172) | func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList {
method DeepCopyObject (line 182) | func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 190) | func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySp...
method DeepCopy (line 220) | func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec {
method DeepCopyInto (line 230) | func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicy...
method DeepCopy (line 237) | func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus {
method DeepCopyInto (line 247) | func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference) {
method DeepCopy (line 253) | func (in *ConfigMapReference) DeepCopy() *ConfigMapReference {
method DeepCopyInto (line 263) | func (in *DistinguishedName) DeepCopyInto(out *DistinguishedName) {
method DeepCopy (line 269) | func (in *DistinguishedName) DeepCopy() *DistinguishedName {
method DeepCopyInto (line 279) | func (in *Identity) DeepCopyInto(out *Identity) {
method DeepCopy (line 285) | func (in *Identity) DeepCopy() *Identity {
method DeepCopyInto (line 295) | func (in *ImagePattern) DeepCopyInto(out *ImagePattern) {
method DeepCopy (line 301) | func (in *ImagePattern) DeepCopy() *ImagePattern {
method DeepCopyInto (line 311) | func (in *KeyRef) DeepCopyInto(out *KeyRef) {
method DeepCopy (line 322) | func (in *KeyRef) DeepCopy() *KeyRef {
method DeepCopyInto (line 332) | func (in *KeylessRef) DeepCopyInto(out *KeylessRef) {
method DeepCopy (line 358) | func (in *KeylessRef) DeepCopy() *KeylessRef {
method DeepCopyInto (line 368) | func (in *MatchResource) DeepCopyInto(out *MatchResource) {
method DeepCopy (line 380) | func (in *MatchResource) DeepCopy() *MatchResource {
method DeepCopyInto (line 390) | func (in *Policy) DeepCopyInto(out *Policy) {
method DeepCopy (line 426) | func (in *Policy) DeepCopy() *Policy {
method DeepCopyInto (line 436) | func (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp) {
method DeepCopy (line 442) | func (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp {
method DeepCopyInto (line 452) | func (in *Remote) DeepCopyInto(out *Remote) {
method DeepCopy (line 464) | func (in *Remote) DeepCopy() *Remote {
method DeepCopyInto (line 474) | func (in *RemotePolicy) DeepCopyInto(out *RemotePolicy) {
method DeepCopy (line 481) | func (in *RemotePolicy) DeepCopy() *RemotePolicy {
method DeepCopyInto (line 491) | func (in *Repository) DeepCopyInto(out *Repository) {
method DeepCopy (line 507) | func (in *Repository) DeepCopy() *Repository {
method DeepCopyInto (line 517) | func (in *SigstoreKeys) DeepCopyInto(out *SigstoreKeys) {
method DeepCopy (line 551) | func (in *SigstoreKeys) DeepCopy() *SigstoreKeys {
method DeepCopyInto (line 561) | func (in *Source) DeepCopyInto(out *Source) {
method DeepCopy (line 577) | func (in *Source) DeepCopy() *Source {
method DeepCopyInto (line 587) | func (in *StaticRef) DeepCopyInto(out *StaticRef) {
method DeepCopy (line 593) | func (in *StaticRef) DeepCopy() *StaticRef {
method DeepCopyInto (line 603) | func (in *TLog) DeepCopyInto(out *TLog) {
method DeepCopy (line 614) | func (in *TLog) DeepCopy() *TLog {
method DeepCopyInto (line 624) | func (in *TransparencyLogInstance) DeepCopyInto(out *TransparencyLogInst...
method DeepCopy (line 636) | func (in *TransparencyLogInstance) DeepCopy() *TransparencyLogInstance {
method DeepCopyInto (line 646) | func (in *TrustRoot) DeepCopyInto(out *TrustRoot) {
method DeepCopy (line 656) | func (in *TrustRoot) DeepCopy() *TrustRoot {
method DeepCopyObject (line 666) | func (in *TrustRoot) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 674) | func (in *TrustRootList) DeepCopyInto(out *TrustRootList) {
method DeepCopy (line 689) | func (in *TrustRootList) DeepCopy() *TrustRootList {
method DeepCopyObject (line 699) | func (in *TrustRootList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 707) | func (in *TrustRootSpec) DeepCopyInto(out *TrustRootSpec) {
method DeepCopy (line 728) | func (in *TrustRootSpec) DeepCopy() *TrustRootSpec {
method DeepCopyInto (line 738) | func (in *TrustRootStatus) DeepCopyInto(out *TrustRootStatus) {
method DeepCopy (line 745) | func (in *TrustRootStatus) DeepCopy() *TrustRootStatus {
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_conversion.go
method ConvertTo (line 27) | func (c *ClusterImagePolicy) ConvertTo(_ context.Context, sink apis.Conv...
method ConvertFrom (line 32) | func (c *ClusterImagePolicy) ConvertFrom(_ context.Context, source apis....
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_conversion_test.go
type BadOne (line 25) | type BadOne struct
method ConvertTo (line 27) | func (ct *BadOne) ConvertTo(_ context.Context, sink apis.Convertible) ...
method ConvertFrom (line 30) | func (ct *BadOne) ConvertFrom(_ context.Context, source apis.Convertib...
function TestClusterTaskConversionBadType (line 34) | func TestClusterTaskConversionBadType(t *testing.T) {
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_defaults.go
method SetDefaults (line 25) | func (c *ClusterImagePolicy) SetDefaults(ctx context.Context) {
method SetDefaults (line 29) | func (spec *ClusterImagePolicySpec) SetDefaults(_ context.Context) {
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_defaults_test.go
function TestNameDefaulting (line 25) | func TestNameDefaulting(t *testing.T) {
function TestModeDefaulting (line 55) | func TestModeDefaulting(t *testing.T) {
function TestKeylessURLDefaulting (line 84) | func TestKeylessURLDefaulting(t *testing.T) {
function cipWithNames (line 123) | func cipWithNames(names []string) *ClusterImagePolicy {
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_lifecycle.go
constant inlineKeysFailedReason (line 22) | inlineKeysFailedReason = "InliningKeysFailed"
constant inlinePoliciesFailedReason (line 23) | inlinePoliciesFailedReason = "InliningPoliciesFailed"
constant updateCMFailedReason (line 24) | updateCMFailedReason = "UpdatingConfigMap"
method GetConditionSet (line 35) | func (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet {
method IsReady (line 41) | func (c *ClusterImagePolicy) IsReady() bool {
method IsFailed (line 49) | func (c *ClusterImagePolicy) IsFailed() bool {
method InitializeConditions (line 56) | func (cs *ClusterImagePolicyStatus) InitializeConditions() {
method MarkInlineKeysFailed (line 62) | func (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string) {
method MarkInlineKeysOk (line 68) | func (cs *ClusterImagePolicyStatus) MarkInlineKeysOk() {
method MarkInlinePoliciesFailed (line 74) | func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string) {
method MarkInlinePoliciesOk (line 80) | func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk() {
method MarkCMUpdateFailed (line 86) | func (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string) {
method MarkCMUpdatedOK (line 91) | func (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK() {
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_types.go
type ClusterImagePolicy (line 33) | type ClusterImagePolicy struct
method GetGroupVersionKind (line 75) | func (c *ClusterImagePolicy) GetGroupVersionKind() schema.GroupVersion...
method GetStatus (line 357) | func (c *ClusterImagePolicy) GetStatus() *duckv1.Status {
constant ClusterImagePolicyConditionReady (line 57) | ClusterImagePolicyConditionReady = apis.ConditionReady
constant ClusterImagePolicyConditionKeysInlined (line 62) | ClusterImagePolicyConditionKeysInlined apis.ConditionType = "KeysInlined"
constant ClusterImagePolicyConditionPoliciesInlined (line 67) | ClusterImagePolicyConditionPoliciesInlined apis.ConditionType = "Policie...
constant ClusterImagePolicyConditionCMUpdated (line 71) | ClusterImagePolicyConditionCMUpdated apis.ConditionType = "ConfigMapUpda...
type ClusterImagePolicySpec (line 80) | type ClusterImagePolicySpec struct
type ImagePattern (line 105) | type ImagePattern struct
type Authority (line 117) | type Authority struct
type KeyRef (line 155) | type KeyRef struct
type StaticRef (line 173) | type StaticRef struct
type Source (line 181) | type Source struct
type TLog (line 199) | type TLog struct
type KeylessRef (line 211) | type KeylessRef struct
type Attestation (line 232) | type Attestation struct
type RemotePolicy (line 245) | type RemotePolicy struct
type Policy (line 255) | type Policy struct
type MatchResource (line 298) | type MatchResource struct
type ConfigMapReference (line 307) | type ConfigMapReference struct
type Identity (line 323) | type Identity struct
type RFC3161Timestamp (line 340) | type RFC3161Timestamp struct
type ClusterImagePolicyStatus (line 348) | type ClusterImagePolicyStatus struct
type ClusterImagePolicyList (line 364) | type ClusterImagePolicyList struct
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go
method Validate (line 35) | func (c *ClusterImagePolicy) Validate(ctx context.Context) *apis.FieldEr...
method Validate (line 43) | func (spec *ClusterImagePolicySpec) Validate(ctx context.Context) (error...
method Validate (line 72) | func (image *ImagePattern) Validate(_ context.Context) *apis.FieldError {
method Validate (line 79) | func (matchResource *MatchResource) Validate(_ context.Context) *apis.Fi...
method Validate (line 92) | func (authority *Authority) Validate(ctx context.Context) *apis.FieldErr...
method Validate (line 148) | func (s *StaticRef) Validate(_ context.Context) *apis.FieldError {
method Validate (line 159) | func (key *KeyRef) Validate(_ context.Context) *apis.FieldError {
method Validate (line 193) | func (keyless *KeylessRef) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 217) | func (source *Source) Validate(_ context.Context) *apis.FieldError {
method Validate (line 235) | func (a *Attestation) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 260) | func (cmr *ConfigMapReference) Validate(_ context.Context) *apis.FieldEr...
method Validate (line 271) | func (r *RemotePolicy) Validate(_ context.Context) *apis.FieldError {
method Validate (line 284) | func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
method Validate (line 325) | func (identity *Identity) Validate(_ context.Context) *apis.FieldError {
function ValidateGlob (line 349) | func ValidateGlob(g string) *apis.FieldError {
function ValidateRegex (line 359) | func ValidateRegex(regex string) *apis.FieldError {
FILE: pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go
constant validPublicKey (line 34) | validPublicKey = "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj...
constant signatureSHA512HashAlgorithm (line 37) | signatureSHA512HashAlgorithm = "sha512"
constant signatureSHAInvalidHashAlgorithm (line 38) | signatureSHAInvalidHashAlgorithm = "shaInvalid"
function TestImagePatternValidation (line 41) | func TestImagePatternValidation(t *testing.T) {
function TestKeyValidation (line 99) | func TestKeyValidation(t *testing.T) {
function TestKeylessValidation (line 298) | func TestKeylessValidation(t *testing.T) {
function TestStaticValidation (line 402) | func TestStaticValidation(t *testing.T) {
function TestModeValidation (line 568) | func TestModeValidation(t *testing.T) {
function TestAuthoritiesValidation (line 603) | func TestAuthoritiesValidation(t *testing.T) {
function TestEmptyAuthoritiesValidation (line 1079) | func TestEmptyAuthoritiesValidation(t *testing.T) {
function TestAttestationsValidation (line 1105) | func TestAttestationsValidation(t *testing.T) {
function TestIdentitiesValidation (line 1228) | func TestIdentitiesValidation(t *testing.T) {
function TestAWSKMSValidation (line 1473) | func TestAWSKMSValidation(t *testing.T) {
function validateError (line 1541) | func validateError(t *testing.T, wantErrStr, wantWarnStr string, fe *api...
function TestMatchValidation (line 1562) | func TestMatchValidation(t *testing.T) {
function TestIgnoreStatusUpdates (line 1714) | func TestIgnoreStatusUpdates(t *testing.T) {
FILE: pkg/apis/policy/v1beta1/register.go
function Kind (line 29) | func Kind(kind string) schema.GroupKind {
function Resource (line 34) | func Resource(resource string) schema.GroupResource {
function addKnownTypes (line 46) | func addKnownTypes(scheme *runtime.Scheme) error {
FILE: pkg/apis/policy/v1beta1/zz_generated.deepcopy.go
method DeepCopyInto (line 30) | func (in *Attestation) DeepCopyInto(out *Attestation) {
method DeepCopy (line 41) | func (in *Attestation) DeepCopy() *Attestation {
method DeepCopyInto (line 51) | func (in *Authority) DeepCopyInto(out *Authority) {
method DeepCopy (line 96) | func (in *Authority) DeepCopy() *Authority {
method DeepCopyInto (line 106) | func (in *ClusterImagePolicy) DeepCopyInto(out *ClusterImagePolicy) {
method DeepCopy (line 116) | func (in *ClusterImagePolicy) DeepCopy() *ClusterImagePolicy {
method DeepCopyObject (line 126) | func (in *ClusterImagePolicy) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 134) | func (in *ClusterImagePolicyList) DeepCopyInto(out *ClusterImagePolicyLi...
method DeepCopy (line 149) | func (in *ClusterImagePolicyList) DeepCopy() *ClusterImagePolicyList {
method DeepCopyObject (line 159) | func (in *ClusterImagePolicyList) DeepCopyObject() runtime.Object {
method DeepCopyInto (line 167) | func (in *ClusterImagePolicySpec) DeepCopyInto(out *ClusterImagePolicySp...
method DeepCopy (line 197) | func (in *ClusterImagePolicySpec) DeepCopy() *ClusterImagePolicySpec {
method DeepCopyInto (line 207) | func (in *ClusterImagePolicyStatus) DeepCopyInto(out *ClusterImagePolicy...
method DeepCopy (line 214) | func (in *ClusterImagePolicyStatus) DeepCopy() *ClusterImagePolicyStatus {
method DeepCopyInto (line 224) | func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference) {
method DeepCopy (line 230) | func (in *ConfigMapReference) DeepCopy() *ConfigMapReference {
method DeepCopyInto (line 240) | func (in *Identity) DeepCopyInto(out *Identity) {
method DeepCopy (line 246) | func (in *Identity) DeepCopy() *Identity {
method DeepCopyInto (line 256) | func (in *ImagePattern) DeepCopyInto(out *ImagePattern) {
method DeepCopy (line 262) | func (in *ImagePattern) DeepCopy() *ImagePattern {
method DeepCopyInto (line 272) | func (in *KeyRef) DeepCopyInto(out *KeyRef) {
method DeepCopy (line 283) | func (in *KeyRef) DeepCopy() *KeyRef {
method DeepCopyInto (line 293) | func (in *KeylessRef) DeepCopyInto(out *KeylessRef) {
method DeepCopy (line 319) | func (in *KeylessRef) DeepCopy() *KeylessRef {
method DeepCopyInto (line 329) | func (in *MatchResource) DeepCopyInto(out *MatchResource) {
method DeepCopy (line 341) | func (in *MatchResource) DeepCopy() *MatchResource {
method DeepCopyInto (line 351) | func (in *Policy) DeepCopyInto(out *Policy) {
method DeepCopy (line 387) | func (in *Policy) DeepCopy() *Policy {
method DeepCopyInto (line 397) | func (in *RFC3161Timestamp) DeepCopyInto(out *RFC3161Timestamp) {
method DeepCopy (line 403) | func (in *RFC3161Timestamp) DeepCopy() *RFC3161Timestamp {
method DeepCopyInto (line 413) | func (in *RemotePolicy) DeepCopyInto(out *RemotePolicy) {
method DeepCopy (line 420) | func (in *RemotePolicy) DeepCopy() *RemotePolicy {
method DeepCopyInto (line 430) | func (in *Source) DeepCopyInto(out *Source) {
method DeepCopy (line 446) | func (in *Source) DeepCopy() *Source {
method DeepCopyInto (line 456) | func (in *StaticRef) DeepCopyInto(out *StaticRef) {
method DeepCopy (line 462) | func (in *StaticRef) DeepCopy() *StaticRef {
method DeepCopyInto (line 472) | func (in *TLog) DeepCopyInto(out *TLog) {
method DeepCopy (line 483) | func (in *TLog) DeepCopy() *TLog {
FILE: pkg/apis/signaturealgo/signature_digest.go
function HashAlgorithm (line 35) | func HashAlgorithm(algorithmName string) (crypto.Hash, error) {
FILE: pkg/apis/signaturealgo/signature_digest_test.go
function TestHashAlgorithm (line 22) | func TestHashAlgorithm(t *testing.T) {
FILE: pkg/client/clientset/versioned/clientset.go
type Interface (line 30) | type Interface interface
type Clientset (line 37) | type Clientset struct
method PolicyV1alpha1 (line 44) | func (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Inte...
method PolicyV1beta1 (line 49) | func (c *Clientset) PolicyV1beta1() policyv1beta1.PolicyV1beta1Interfa...
method Discovery (line 54) | func (c *Clientset) Discovery() discovery.DiscoveryInterface {
function NewForConfig (line 66) | func NewForConfig(c *rest.Config) (*Clientset, error) {
function NewForConfigAndClient (line 86) | func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Cl...
function NewForConfigOrDie (line 115) | func NewForConfigOrDie(c *rest.Config) *Clientset {
function New (line 124) | func New(c rest.Interface) *Clientset {
FILE: pkg/client/clientset/versioned/fake/clientset_generated.go
function NewSimpleClientset (line 36) | func NewSimpleClientset(objects ...runtime.Object) *Clientset {
type Clientset (line 63) | type Clientset struct
method Discovery (line 69) | func (c *Clientset) Discovery() discovery.DiscoveryInterface {
method Tracker (line 73) | func (c *Clientset) Tracker() testing.ObjectTracker {
method PolicyV1alpha1 (line 83) | func (c *Clientset) PolicyV1alpha1() policyv1alpha1.PolicyV1alpha1Inte...
method PolicyV1beta1 (line 88) | func (c *Clientset) PolicyV1beta1() policyv1beta1.PolicyV1beta1Interfa...
FILE: pkg/client/clientset/versioned/fake/register.go
function init (line 53) | func init() {
FILE: pkg/client/clientset/versioned/scheme/register.go
function init (line 53) | func init() {
FILE: pkg/client/clientset/versioned/typed/duck/v1beta1/duck_client.go
type DuckV1beta1Interface (line 27) | type DuckV1beta1Interface interface
type DuckV1beta1Client (line 32) | type DuckV1beta1Client struct
method RESTClient (line 95) | func (c *DuckV1beta1Client) RESTClient() rest.Interface {
function NewForConfig (line 39) | func NewForConfig(c *rest.Config) (*DuckV1beta1Client, error) {
function NewForConfigAndClient (line 53) | func NewForConfigAndClient(c *rest.Config, h *http.Client) (*DuckV1beta1...
function NewForConfigOrDie (line 67) | func NewForConfigOrDie(c *rest.Config) *DuckV1beta1Client {
function New (line 76) | func New(c rest.Interface) *DuckV1beta1Client {
function setConfigDefaults (line 80) | func setConfigDefaults(config *rest.Config) error {
FILE: pkg/client/clientset/versioned/typed/duck/v1beta1/fake/fake_duck_client.go
type FakeDuckV1beta1 (line 24) | type FakeDuckV1beta1 struct
method RESTClient (line 30) | func (c *FakeDuckV1beta1) RESTClient() rest.Interface {
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/clusterimagepolicy.go
type ClusterImagePoliciesGetter (line 33) | type ClusterImagePoliciesGetter interface
type ClusterImagePolicyInterface (line 38) | type ClusterImagePolicyInterface interface
type clusterImagePolicies (line 52) | type clusterImagePolicies struct
method Get (line 64) | func (c *clusterImagePolicies) Get(ctx context.Context, name string, o...
method List (line 76) | func (c *clusterImagePolicies) List(ctx context.Context, opts v1.ListO...
method Watch (line 92) | func (c *clusterImagePolicies) Watch(ctx context.Context, opts v1.List...
method Create (line 106) | func (c *clusterImagePolicies) Create(ctx context.Context, clusterImag...
method Update (line 118) | func (c *clusterImagePolicies) Update(ctx context.Context, clusterImag...
method UpdateStatus (line 132) | func (c *clusterImagePolicies) UpdateStatus(ctx context.Context, clust...
method Delete (line 146) | func (c *clusterImagePolicies) Delete(ctx context.Context, name string...
method DeleteCollection (line 156) | func (c *clusterImagePolicies) DeleteCollection(ctx context.Context, o...
method Patch (line 171) | func (c *clusterImagePolicies) Patch(ctx context.Context, name string,...
function newClusterImagePolicies (line 57) | func newClusterImagePolicies(c *PolicyV1alpha1Client) *clusterImagePolic...
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_clusterimagepolicy.go
type FakeClusterImagePolicies (line 31) | type FakeClusterImagePolicies struct
method Get (line 40) | func (c *FakeClusterImagePolicies) Get(ctx context.Context, name strin...
method List (line 50) | func (c *FakeClusterImagePolicies) List(ctx context.Context, opts v1.L...
method Watch (line 71) | func (c *FakeClusterImagePolicies) Watch(ctx context.Context, opts v1....
method Create (line 77) | func (c *FakeClusterImagePolicies) Create(ctx context.Context, cluster...
method Update (line 87) | func (c *FakeClusterImagePolicies) Update(ctx context.Context, cluster...
method UpdateStatus (line 98) | func (c *FakeClusterImagePolicies) UpdateStatus(ctx context.Context, c...
method Delete (line 108) | func (c *FakeClusterImagePolicies) Delete(ctx context.Context, name st...
method DeleteCollection (line 115) | func (c *FakeClusterImagePolicies) DeleteCollection(ctx context.Contex...
method Patch (line 123) | func (c *FakeClusterImagePolicies) Patch(ctx context.Context, name str...
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_policy_client.go
type FakePolicyV1alpha1 (line 25) | type FakePolicyV1alpha1 struct
method ClusterImagePolicies (line 29) | func (c *FakePolicyV1alpha1) ClusterImagePolicies() v1alpha1.ClusterIm...
method TrustRoots (line 33) | func (c *FakePolicyV1alpha1) TrustRoots() v1alpha1.TrustRootInterface {
method RESTClient (line 39) | func (c *FakePolicyV1alpha1) RESTClient() rest.Interface {
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_trustroot.go
type FakeTrustRoots (line 31) | type FakeTrustRoots struct
method Get (line 40) | func (c *FakeTrustRoots) Get(ctx context.Context, name string, options...
method List (line 50) | func (c *FakeTrustRoots) List(ctx context.Context, opts v1.ListOptions...
method Watch (line 71) | func (c *FakeTrustRoots) Watch(ctx context.Context, opts v1.ListOption...
method Create (line 77) | func (c *FakeTrustRoots) Create(ctx context.Context, trustRoot *v1alph...
method Update (line 87) | func (c *FakeTrustRoots) Update(ctx context.Context, trustRoot *v1alph...
method UpdateStatus (line 98) | func (c *FakeTrustRoots) UpdateStatus(ctx context.Context, trustRoot *...
method Delete (line 108) | func (c *FakeTrustRoots) Delete(ctx context.Context, name string, opts...
method DeleteCollection (line 115) | func (c *FakeTrustRoots) DeleteCollection(ctx context.Context, opts v1...
method Patch (line 123) | func (c *FakeTrustRoots) Patch(ctx context.Context, name string, pt ty...
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/generated_expansion.go
type ClusterImagePolicyExpansion (line 19) | type ClusterImagePolicyExpansion interface
type TrustRootExpansion (line 21) | type TrustRootExpansion interface
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/policy_client.go
type PolicyV1alpha1Interface (line 27) | type PolicyV1alpha1Interface interface
type PolicyV1alpha1Client (line 34) | type PolicyV1alpha1Client struct
method ClusterImagePolicies (line 38) | func (c *PolicyV1alpha1Client) ClusterImagePolicies() ClusterImagePoli...
method TrustRoots (line 42) | func (c *PolicyV1alpha1Client) TrustRoots() TrustRootInterface {
method RESTClient (line 105) | func (c *PolicyV1alpha1Client) RESTClient() rest.Interface {
function NewForConfig (line 49) | func NewForConfig(c *rest.Config) (*PolicyV1alpha1Client, error) {
function NewForConfigAndClient (line 63) | func NewForConfigAndClient(c *rest.Config, h *http.Client) (*PolicyV1alp...
function NewForConfigOrDie (line 77) | func NewForConfigOrDie(c *rest.Config) *PolicyV1alpha1Client {
function New (line 86) | func New(c rest.Interface) *PolicyV1alpha1Client {
function setConfigDefaults (line 90) | func setConfigDefaults(config *rest.Config) error {
FILE: pkg/client/clientset/versioned/typed/policy/v1alpha1/trustroot.go
type TrustRootsGetter (line 33) | type TrustRootsGetter interface
type TrustRootInterface (line 38) | type TrustRootInterface interface
type trustRoots (line 52) | type trustRoots struct
method Get (line 64) | func (c *trustRoots) Get(ctx context.Context, name string, options v1....
method List (line 76) | func (c *trustRoots) List(ctx context.Context, opts v1.ListOptions) (r...
method Watch (line 92) | func (c *trustRoots) Watch(ctx context.Context, opts v1.ListOptions) (...
method Create (line 106) | func (c *trustRoots) Create(ctx context.Context, trustRoot *v1alpha1.T...
method Update (line 118) | func (c *trustRoots) Update(ctx context.Context, trustRoot *v1alpha1.T...
method UpdateStatus (line 132) | func (c *trustRoots) UpdateStatus(ctx context.Context, trustRoot *v1al...
method Delete (line 146) | func (c *trustRoots) Delete(ctx context.Context, name string, opts v1....
method DeleteCollection (line 156) | func (c *trustRoots) DeleteCollection(ctx context.Context, opts v1.Del...
method Patch (line 171) | func (c *trustRoots) Patch(ctx context.Context, name string, pt types....
function newTrustRoots (line 57) | func newTrustRoots(c *PolicyV1alpha1Client) *trustRoots {
FILE: pkg/client/clientset/versioned/typed/policy/v1beta1/clusterimagepolicy.go
type ClusterImagePoliciesGetter (line 33) | type ClusterImagePoliciesGetter interface
type ClusterImagePolicyInterface (line 38) | type ClusterImagePolicyInterface interface
type clusterImagePolicies (line 52) | type clusterImagePolicies struct
method Get (line 64) | func (c *clusterImagePolicies) Get(ctx context.Context, name string, o...
method List (line 76) | func (c *clusterImagePolicies) List(ctx context.Context, opts v1.ListO...
method Watch (line 92) | func (c *clusterImagePolicies) Watch(ctx context.Context, opts v1.List...
method Create (line 106) | func (c *clusterImagePolicies) Create(ctx context.Context, clusterImag...
method Update (line 118) | func (c *clusterImagePolicies) Update(ctx context.Context, clusterImag...
method UpdateStatus (line 132) | func (c *clusterImagePolicies) UpdateStatus(ctx context.Context, clust...
method Delete (line 146) | func (c *clusterImagePolicies) Delete(ctx context.Context, name string...
method DeleteCollection (line 156) | func (c *clusterImagePolicies) DeleteCollection(ctx context.Context, o...
method Patch (line 171) | func (c *clusterImagePolicies) Patch(ctx context.Context, name string,...
function newClusterImagePolicies (line 57) | func newClusterImagePolicies(c *PolicyV1beta1Client) *clusterImagePolici...
FILE: pkg/client/clientset/versioned/typed/policy/v1beta1/fake/fake_clusterimagepolicy.go
type FakeClusterImagePolicies (line 31) | type FakeClusterImagePolicies struct
method Get (line 40) | func (c *FakeClusterImagePolicies) Get(ctx context.Context, name strin...
method List (line 50) | func (c *FakeClusterImagePolicies) List(ctx context.Context, opts v1.L...
method Watch (line 71) | func (c *FakeClusterImagePolicies) Watch(ctx context.Context, opts v1....
method Create (line 77) | func (c *FakeClusterImagePolicies) Create(ctx context.Context, cluster...
method Update (line 87) | func (c *FakeClusterImagePolicies) Update(ctx context.Context, cluster...
method UpdateStatus (line 98) | func (c *FakeClusterImagePolicies) UpdateStatus(ctx context.Context, c...
method Delete (line 108) | func (c *FakeClusterImagePolicies) Delete(ctx context.Context, name st...
method DeleteCollection (line 115) | func (c *FakeClusterImagePolicies) DeleteCollection(ctx context.Contex...
method Patch (line 123) | func (c *FakeClusterImagePolicies) Patch(ctx context.Context, name str...
FILE: pkg/client/clientset/versioned/typed/policy/v1beta1/fake/fake_policy_client.go
type FakePolicyV1beta1 (line 25) | type FakePolicyV1beta1 struct
method ClusterImagePolicies (line 29) | func (c *FakePolicyV1beta1) ClusterImagePolicies() v1beta1.ClusterImag...
method RESTClient (line 35) | func (c *FakePolicyV1beta1) RESTClient() rest.Interface {
FILE: pkg/client/clientset/versioned/typed/policy/v1beta1/generated_expansion.go
type ClusterImagePolicyExpansion (line 19) | type ClusterImagePolicyExpansion interface
FILE: pkg/client/clientset/versioned/typed/policy/v1beta1/policy_client.go
type PolicyV1beta1Interface (line 27) | type PolicyV1beta1Interface interface
type PolicyV1beta1Client (line 33) | type PolicyV1beta1Client struct
method ClusterImagePolicies (line 37) | func (c *PolicyV1beta1Client) ClusterImagePolicies() ClusterImagePolic...
method RESTClient (line 100) | func (c *PolicyV1beta1Client) RESTClient() rest.Interface {
function NewForConfig (line 44) | func NewForConfig(c *rest.Config) (*PolicyV1beta1Client, error) {
function NewForConfigAndClient (line 58) | func NewForConfigAndClient(c *rest.Config, h *http.Client) (*PolicyV1bet...
function NewForConfigOrDie (line 72) | func NewForConfigOrDie(c *rest.Config) *PolicyV1beta1Client {
function New (line 81) | func New(c rest.Interface) *PolicyV1beta1Client {
function setConfigDefaults (line 85) | func setConfigDefaults(config *rest.Config) error {
FILE: pkg/client/informers/externalversions/factory.go
type SharedInformerOption (line 34) | type SharedInformerOption
type sharedInformerFactory (line 36) | type sharedInformerFactory struct
method Start (line 113) | func (f *sharedInformerFactory) Start(stopCh <-chan struct{}) {
method Shutdown (line 137) | func (f *sharedInformerFactory) Shutdown() {
method WaitForCacheSync (line 146) | func (f *sharedInformerFactory) WaitForCacheSync(stopCh <-chan struct{...
method InformerFor (line 169) | func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFun...
method Policy (line 247) | func (f *sharedInformerFactory) Policy() policy.Interface {
function WithCustomResyncConfig (line 56) | func WithCustomResyncConfig(resyncConfig map[v1.Object]time.Duration) Sh...
function WithTweakListOptions (line 66) | func WithTweakListOptions(tweakListOptions internalinterfaces.TweakListO...
function WithNamespace (line 74) | func WithNamespace(namespace string) SharedInformerOption {
function NewSharedInformerFactory (line 82) | func NewSharedInformerFactory(client versioned.Interface, defaultResync ...
function NewFilteredSharedInformerFactory (line 90) | func NewFilteredSharedInformerFactory(client versioned.Interface, defaul...
function NewSharedInformerFactoryWithOptions (line 95) | func NewSharedInformerFactoryWithOptions(client versioned.Interface, def...
type SharedInformerFactory (line 214) | type SharedInformerFactory interface
FILE: pkg/client/informers/externalversions/generic.go
type GenericInformer (line 30) | type GenericInformer interface
type genericInformer (line 35) | type genericInformer struct
method Informer (line 41) | func (f *genericInformer) Informer() cache.SharedIndexInformer {
method Lister (line 46) | func (f *genericInformer) Lister() cache.GenericLister {
method ForResource (line 52) | func (f *sharedInformerFactory) ForResource(resource schema.GroupVersion...
FILE: pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go
type NewInformerFunc (line 29) | type NewInformerFunc
type SharedInformerFactory (line 32) | type SharedInformerFactory interface
type TweakListOptionsFunc (line 38) | type TweakListOptionsFunc
FILE: pkg/client/informers/externalversions/policy/interface.go
type Interface (line 26) | type Interface interface
type group (line 33) | type group struct
method V1alpha1 (line 45) | func (g *group) V1alpha1() v1alpha1.Interface {
method V1beta1 (line 50) | func (g *group) V1beta1() v1beta1.Interface {
function New (line 40) | func New(f internalinterfaces.SharedInformerFactory, namespace string, t...
FILE: pkg/client/informers/externalversions/policy/v1alpha1/clusterimagepolicy.go
type ClusterImagePolicyInformer (line 35) | type ClusterImagePolicyInformer interface
type clusterImagePolicyInformer (line 40) | type clusterImagePolicyInformer struct
method defaultInformer (line 77) | func (f *clusterImagePolicyInformer) defaultInformer(client versioned....
method Informer (line 81) | func (f *clusterImagePolicyInformer) Informer() cache.SharedIndexInfor...
method Lister (line 85) | func (f *clusterImagePolicyInformer) Lister() v1alpha1.ClusterImagePol...
function NewClusterImagePolicyInformer (line 48) | func NewClusterImagePolicyInformer(client versioned.Interface, resyncPer...
function NewFilteredClusterImagePolicyInformer (line 55) | func NewFilteredClusterImagePolicyInformer(client versioned.Interface, r...
FILE: pkg/client/informers/externalversions/policy/v1alpha1/interface.go
type Interface (line 24) | type Interface interface
type version (line 31) | type version struct
method ClusterImagePolicies (line 43) | func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {
method TrustRoots (line 48) | func (v *version) TrustRoots() TrustRootInformer {
function New (line 38) | func New(f internalinterfaces.SharedInformerFactory, namespace string, t...
FILE: pkg/client/informers/externalversions/policy/v1alpha1/trustroot.go
type TrustRootInformer (line 35) | type TrustRootInformer interface
type trustRootInformer (line 40) | type trustRootInformer struct
method defaultInformer (line 77) | func (f *trustRootInformer) defaultInformer(client versioned.Interface...
method Informer (line 81) | func (f *trustRootInformer) Informer() cache.SharedIndexInformer {
method Lister (line 85) | func (f *trustRootInformer) Lister() v1alpha1.TrustRootLister {
function NewTrustRootInformer (line 48) | func NewTrustRootInformer(client versioned.Interface, resyncPeriod time....
function NewFilteredTrustRootInformer (line 55) | func NewFilteredTrustRootInformer(client versioned.Interface, resyncPeri...
FILE: pkg/client/informers/externalversions/policy/v1beta1/clusterimagepolicy.go
type ClusterImagePolicyInformer (line 35) | type ClusterImagePolicyInformer interface
type clusterImagePolicyInformer (line 40) | type clusterImagePolicyInformer struct
method defaultInformer (line 77) | func (f *clusterImagePolicyInformer) defaultInformer(client versioned....
method Informer (line 81) | func (f *clusterImagePolicyInformer) Informer() cache.SharedIndexInfor...
method Lister (line 85) | func (f *clusterImagePolicyInformer) Lister() v1beta1.ClusterImagePoli...
function NewClusterImagePolicyInformer (line 48) | func NewClusterImagePolicyInformer(client versioned.Interface, resyncPer...
function NewFilteredClusterImagePolicyInformer (line 55) | func NewFilteredClusterImagePolicyInformer(client versioned.Interface, r...
FILE: pkg/client/informers/externalversions/policy/v1beta1/interface.go
type Interface (line 24) | type Interface interface
type version (line 29) | type version struct
method ClusterImagePolicies (line 41) | func (v *version) ClusterImagePolicies() ClusterImagePolicyInformer {
function New (line 36) | func New(f internalinterfaces.SharedInformerFactory, namespace string, t...
FILE: pkg/client/injection/client/client.go
function init (line 28) | func init() {
type Key (line 36) | type Key struct
function withClientFromConfig (line 38) | func withClientFromConfig(ctx context.Context, cfg *rest.Config) context...
function Get (line 43) | func Get(ctx context.Context) versioned.Interface {
FILE: pkg/client/injection/client/fake/fake.go
function init (line 30) | func init() {
function withClient (line 37) | func withClient(ctx context.Context, cfg *rest.Config) context.Context {
function With (line 42) | func With(ctx context.Context, objects ...runtime.Object) (context.Conte...
function Get (line 48) | func Get(ctx context.Context) *fake.Clientset {
FILE: pkg/client/injection/ducks/duck/v1beta1/podscalable/fake/fake.go
function init (line 26) | func init() {
FILE: pkg/client/injection/ducks/duck/v1beta1/podscalable/podscalable.go
function init (line 30) | func init() {
type Key (line 35) | type Key struct
function WithDuck (line 37) | func WithDuck(ctx context.Context) context.Context {
function Get (line 51) | func Get(ctx context.Context) duck.InformerFactory {
FILE: pkg/client/injection/informers/factory/factory.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformerFactory (line 36) | func withInformerFactory(ctx context.Context) context.Context {
function Get (line 47) | func Get(ctx context.Context) externalversions.SharedInformerFactory {
FILE: pkg/client/injection/informers/factory/fake/fake.go
function init (line 31) | func init() {
function withInformerFactory (line 35) | func withInformerFactory(ctx context.Context) context.Context {
FILE: pkg/client/injection/informers/factory/filtered/fake/fake_filtered_factory.go
function init (line 33) | func init() {
function withInformerFactory (line 37) | func withInformerFactory(ctx context.Context) context.Context {
FILE: pkg/client/injection/informers/factory/filtered/filtered_factory.go
function init (line 30) | func init() {
type Key (line 35) | type Key struct
type LabelKey (line 39) | type LabelKey struct
function WithSelectors (line 41) | func WithSelectors(ctx context.Context, selector ...string) context.Cont...
function withInformerFactory (line 45) | func withInformerFactory(ctx context.Context) context.Context {
function Get (line 68) | func Get(ctx context.Context, selector string) externalversions.SharedIn...
FILE: pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/clusterimagepolicy.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformer (line 36) | func withInformer(ctx context.Context) (context.Context, controller.Info...
function Get (line 43) | func Get(ctx context.Context) v1alpha1.ClusterImagePolicyInformer {
FILE: pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/fake/fake.go
function init (line 30) | func init() {
function withInformer (line 34) | func withInformer(ctx context.Context) (context.Context, controller.Info...
FILE: pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered/clusterimagepolicy.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformer (line 38) | func withInformer(ctx context.Context) (context.Context, []controller.In...
function Get (line 56) | func Get(ctx context.Context, selector string) v1alpha1.ClusterImagePoli...
FILE: pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered/fake/fake.go
function init (line 31) | func init() {
function withInformer (line 35) | func withInformer(ctx context.Context) (context.Context, []controller.In...
FILE: pkg/client/injection/informers/policy/v1alpha1/trustroot/fake/fake.go
function init (line 30) | func init() {
function withInformer (line 34) | func withInformer(ctx context.Context) (context.Context, controller.Info...
FILE: pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered/fake/fake.go
function init (line 31) | func init() {
function withInformer (line 35) | func withInformer(ctx context.Context) (context.Context, []controller.In...
FILE: pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered/trustroot.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformer (line 38) | func withInformer(ctx context.Context) (context.Context, []controller.In...
function Get (line 56) | func Get(ctx context.Context, selector string) v1alpha1.TrustRootInformer {
FILE: pkg/client/injection/informers/policy/v1alpha1/trustroot/trustroot.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformer (line 36) | func withInformer(ctx context.Context) (context.Context, controller.Info...
function Get (line 43) | func Get(ctx context.Context) v1alpha1.TrustRootInformer {
FILE: pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/clusterimagepolicy.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformer (line 36) | func withInformer(ctx context.Context) (context.Context, controller.Info...
function Get (line 43) | func Get(ctx context.Context) v1beta1.ClusterImagePolicyInformer {
FILE: pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/fake/fake.go
function init (line 30) | func init() {
function withInformer (line 34) | func withInformer(ctx context.Context) (context.Context, controller.Info...
FILE: pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered/clusterimagepolicy.go
function init (line 29) | func init() {
type Key (line 34) | type Key struct
function withInformer (line 38) | func withInformer(ctx context.Context) (context.Context, []controller.In...
function Get (line 56) | func Get(ctx context.Context, selector string) v1beta1.ClusterImagePolic...
FILE: pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered/fake/fake.go
function init (line 31) | func init() {
function withInformer (line 35) | func withInformer(ctx context.Context) (context.Context, []controller.In...
FILE: pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy/controller.go
constant defaultControllerAgentName (line 44) | defaultControllerAgentName = "clusterimagepolicy-controller"
constant defaultFinalizerName (line 45) | defaultFinalizerName = "clusterimagepolicies.policy.sigstore.dev"
function NewImpl (line 52) | func NewImpl(ctx context.Context, r Interface, optionsFns ...controller....
function createRecorder (line 141) | func createRecorder(ctx context.Context, agentName string) record.EventR...
function init (line 166) | func init() {
FILE: pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy/reconciler.go
type Interface (line 45) | type Interface interface
type Finalizer (line 57) | type Finalizer interface
type ReadOnlyInterface (line 69) | type ReadOnlyInterface interface
type doReconcile (line 75) | type doReconcile
type reconcilerImpl (line 78) | type reconcilerImpl struct
method Reconcile (line 168) | func (r *reconcilerImpl) Reconcile(ctx context.Context, key string) er...
method updateStatus (line 310) | func (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap...
method updateFinalizersFiltered (line 347) | func (r *reconcilerImpl) updateFinalizersFiltered(ctx context.Context,...
method setFinalizerIfFinalizer (line 399) | func (r *reconcilerImpl) setFinalizerIfFinalizer(ctx context.Context, ...
method clearFinalizer (line 415) | func (r *reconcilerImpl) clearFinalizer(ctx context.Context, resource ...
function NewReconciler (line 113) | func NewReconciler(ctx context.Context, logger *zap.SugaredLogger, clien...
FILE: pkg/client/injection/reconciler/policy/v1alpha1/clusterimagepolicy/state.go
type state (line 29) | type state struct
method isNotLeaderNorObserver (line 75) | func (s *state) isNotLeaderNorObserver() bool {
method reconcileMethodFor (line 84) | func (s *state) reconcileMethodFor(o *v1alpha1.ClusterImagePolicy) (st...
function newState (line 46) | func newState(key string, r *reconcilerImpl) (*state, error) {
FILE: pkg/client/injection/reconciler/policy/v1alpha1/trustroot/controller.go
constant defaultControllerAgentName (line 44) | defaultControllerAgentName = "trustroot-controller"
constant defaultFinalizerName (line 45) | defaultFinalizerName = "trustroots.policy.sigstore.dev"
function NewImpl (line 52) | func NewImpl(ctx context.Context, r Interface, optionsFns ...controller....
function createRecorder (line 141) | func createRecorder(ctx context.Context, agentName string) record.EventR...
function init (line 166) | func init() {
FILE: pkg/client/injection/reconciler/policy/v1alpha1/trustroot/reconciler.go
type Interface (line 45) | type Interface interface
type Finalizer (line 57) | type Finalizer interface
type ReadOnlyInterface (line 69) | type ReadOnlyInterface interface
type doReconcile (line 75) | type doReconcile
type reconcilerImpl (line 78) | type reconcilerImpl struct
method Reconcile (line 168) | func (r *reconcilerImpl) Reconcile(ctx context.Context, key string) er...
method updateStatus (line 310) | func (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap...
method updateFinalizersFiltered (line 347) | func (r *reconcilerImpl) updateFinalizersFiltered(ctx context.Context,...
method setFinalizerIfFinalizer (line 399) | func (r *reconcilerImpl) setFinalizerIfFinalizer(ctx context.Context, ...
method clearFinalizer (line 415) | func (r *reconcilerImpl) clearFinalizer(ctx context.Context, resource ...
function NewReconciler (line 113) | func NewReconciler(ctx context.Context, logger *zap.SugaredLogger, clien...
FILE: pkg/client/injection/reconciler/policy/v1alpha1/trustroot/state.go
type state (line 29) | type state struct
method isNotLeaderNorObserver (line 75) | func (s *state) isNotLeaderNorObserver() bool {
method reconcileMethodFor (line 84) | func (s *state) reconcileMethodFor(o *v1alpha1.TrustRoot) (string, doR...
function newState (line 46) | func newState(key string, r *reconcilerImpl) (*state, error) {
FILE: pkg/client/injection/reconciler/policy/v1beta1/clusterimagepolicy/controller.go
constant defaultControllerAgentName (line 44) | defaultControllerAgentName = "clusterimagepolicy-controller"
constant defaultFinalizerName (line 45) | defaultFinalizerName = "clusterimagepolicies.policy.sigstore.dev"
function NewImpl (line 52) | func NewImpl(ctx context.Context, r Interface, optionsFns ...controller....
function createRecorder (line 141) | func createRecorder(ctx context.Context, agentName string) record.EventR...
function init (line 166) | func init() {
FILE: pkg/client/injection/reconciler/policy/v1beta1/clusterimagepolicy/reconciler.go
type Interface (line 45) | type Interface interface
type Finalizer (line 57) | type Finalizer interface
type ReadOnlyInterface (line 69) | type ReadOnlyInterface interface
type doReconcile (line 75) | type doReconcile
type reconcilerImpl (line 78) | type reconcilerImpl struct
method Reconcile (line 168) | func (r *reconcilerImpl) Reconcile(ctx context.Context, key string) er...
method updateStatus (line 310) | func (r *reconcilerImpl) updateStatus(ctx context.Context, logger *zap...
method updateFinalizersFiltered (line 347) | func (r *reconcilerImpl) updateFinalizersFiltered(ctx context.Context,...
method setFinalizerIfFinalizer (line 399) | func (r *reconcilerImpl) setFinalizerIfFinalizer(ctx context.Context, ...
method clearFinalizer (line 415) | func (r *reconcilerImpl) clearFinalizer(ctx context.Context, resource ...
function NewReconciler (line 113) | func NewReconciler(ctx context.Context, logger *zap.SugaredLogger, clien...
FILE: pkg/client/injection/reconciler/policy/v1beta1/clusterimagepolicy/state.go
type state (line 29) | type state struct
method isNotLeaderNorObserver (line 75) | func (s *state) isNotLeaderNorObserver() bool {
method reconcileMethodFor (line 84) | func (s *state) reconcileMethodFor(o *v1beta1.ClusterImagePolicy) (str...
function newState (line 46) | func newState(key string, r *reconcilerImpl) (*state, error) {
FILE: pkg/client/listers/policy/v1alpha1/clusterimagepolicy.go
type ClusterImagePolicyLister (line 28) | type ClusterImagePolicyLister interface
type clusterImagePolicyLister (line 39) | type clusterImagePolicyLister struct
method List (line 49) | func (s *clusterImagePolicyLister) List(selector labels.Selector) (ret...
method Get (line 57) | func (s *clusterImagePolicyLister) Get(name string) (*v1alpha1.Cluster...
function NewClusterImagePolicyLister (line 44) | func NewClusterImagePolicyLister(indexer cache.Indexer) ClusterImagePoli...
FILE: pkg/client/listers/policy/v1alpha1/expansion_generated.go
type ClusterImagePolicyListerExpansion (line 21) | type ClusterImagePolicyListerExpansion interface
type TrustRootListerExpansion (line 25) | type TrustRootListerExpansion interface
FILE: pkg/client/listers/policy/v1alpha1/trustroot.go
type TrustRootLister (line 28) | type TrustRootLister interface
type trustRootLister (line 39) | type trustRootLister struct
method List (line 49) | func (s *trustRootLister) List(selector labels.Selector) (ret []*v1alp...
method Get (line 57) | func (s *trustRootLister) Get(name string) (*v1alpha1.TrustRoot, error) {
function NewTrustRootLister (line 44) | func NewTrustRootLister(indexer cache.Indexer) TrustRootLister {
FILE: pkg/client/listers/policy/v1beta1/clusterimagepolicy.go
type ClusterImagePolicyLister (line 28) | type ClusterImagePolicyLister interface
type clusterImagePolicyLister (line 39) | type clusterImagePolicyLister struct
method List (line 49) | func (s *clusterImagePolicyLister) List(selector labels.Selector) (ret...
method Get (line 57) | func (s *clusterImagePolicyLister) Get(name string) (*v1beta1.ClusterI...
function NewClusterImagePolicyLister (line 44) | func NewClusterImagePolicyLister(indexer cache.Indexer) ClusterImagePoli...
FILE: pkg/client/listers/policy/v1beta1/expansion_generated.go
type ClusterImagePolicyListerExpansion (line 21) | type ClusterImagePolicyListerExpansion interface
FILE: pkg/config/store.go
type cfgKey (line 26) | type cfgKey struct
constant PolicyControllerConfigName (line 31) | PolicyControllerConfigName = "config-policy-controller"
constant DenyAll (line 35) | DenyAll = "deny"
constant AllowAll (line 39) | AllowAll = "allow"
constant WarnAll (line 41) | WarnAll = "warn"
constant NoMatchPolicyKey (line 43) | NoMatchPolicyKey = "no-match-policy"
constant FailOnEmptyAuthorities (line 45) | FailOnEmptyAuthorities = "fail-on-empty-authorities"
constant EnableOCI11 (line 47) | EnableOCI11 = "enable-oci11"
type PolicyControllerConfig (line 55) | type PolicyControllerConfig struct
function NewPolicyControllerConfigFromMap (line 65) | func NewPolicyControllerConfigFromMap(data map[string]string) (*PolicyCo...
function NewPolicyControllerConfigFromConfigMap (line 94) | func NewPolicyControllerConfigFromConfigMap(config *corev1.ConfigMap) (*...
function FromContext (line 99) | func FromContext(ctx context.Context) *PolicyControllerConfig {
function FromContextOrDefaults (line 110) | func FromContextOrDefaults(ctx context.Context) *PolicyControllerConfig {
function ToContext (line 123) | func ToContext(ctx context.Context, c *PolicyControllerConfig) context.C...
type Store (line 129) | type Store struct
method ToContext (line 151) | func (s *Store) ToContext(ctx context.Context) context.Context {
method Load (line 157) | func (s *Store) Load() *PolicyControllerConfig {
function NewStore (line 134) | func NewStore(logger configmap.Logger, onAfterStore ...func(name string,...
FILE: pkg/config/store_test.go
type testData (line 27) | type testData struct
function TestStoreLoadWithContext (line 41) | func TestStoreLoadWithContext(t *testing.T) {
function TestStoreLoadWithContextOrDefaults (line 69) | func TestStoreLoadWithContextOrDefaults(t *testing.T) {
function TestEnableOCI11Config (line 88) | func TestEnableOCI11Config(t *testing.T) {
function TestFromContextOrDefaultsWithOCI11 (line 138) | func TestFromContextOrDefaultsWithOCI11(t *testing.T) {
FILE: pkg/policy/parse.go
function Parse (line 33) | func Parse(_ context.Context, document string) ([]*unstructured.Unstruct...
function ParseClusterImagePolicies (line 59) | func ParseClusterImagePolicies(ctx context.Context, document string) (ci...
function convert (line 105) | func convert(from interface{}, to interface{}) error {
FILE: pkg/policy/parse_test.go
function TestParse (line 29) | func TestParse(t *testing.T) {
function TestParseCIP (line 193) | func TestParseCIP(t *testing.T) {
FILE: pkg/policy/policy.go
type Verification (line 28) | type Verification struct
method Validate (line 55) | func (v *Verification) Validate(ctx context.Context) (errs *apis.Field...
type Source (line 43) | type Source struct
method Validate (line 76) | func (pd *Source) Validate(ctx context.Context) *apis.FieldError {
method fetch (line 116) | func (pd *Source) fetch(ctx context.Context) (string, error) {
FILE: pkg/policy/policy_test.go
constant goodPolicy (line 26) | goodPolicy = `
constant badPolicy (line 44) | badPolicy = `
function TestVerificationValidate (line 54) | func TestVerificationValidate(t *testing.T) {
FILE: pkg/policy/validate.go
function Validate (line 44) | func Validate(ctx context.Context, document string) (warns error, err er...
type crd (line 80) | type crd interface
function validate (line 85) | func validate(ctx context.Context, uo *unstructured.Unstructured, v crd)...
FILE: pkg/policy/validate_test.go
function TestValidate (line 26) | func TestValidate(t *testing.T) {
FILE: pkg/policy/verifier.go
type Verifier (line 35) | type Verifier interface
type WarningWriter (line 53) | type WarningWriter
function Compile (line 57) | func Compile(ctx context.Context, v Verification, ww WarningWriter) (Ver...
function gather (line 75) | func gather(ctx context.Context, v Verification, ww WarningWriter) (*con...
type impl (line 123) | type impl struct
method Verify (line 134) | func (i *impl) Verify(ctx context.Context, ref name.Reference, kc auth...
function getTypeMeta (line 184) | func getTypeMeta(ctx context.Context) (tm metav1.TypeMeta) {
function getObjectMeta (line 193) | func getObjectMeta(ctx context.Context) (om metav1.ObjectMeta) {
FILE: pkg/policy/verifier_test.go
constant staticDigest (line 30) | staticDigest = "sha256:39ae0654d64cb72003216f6148e581e6d7cf239ac32325867...
constant ancientDigest (line 34) | ancientDigest = "sha256:a9650a15060275287ebf4530b34020b8d998bd2de9aea00d...
function TestVerifierDeny (line 37) | func TestVerifierDeny(t *testing.T) {
function TestVerifierWarn (line 93) | func TestVerifierWarn(t *testing.T) {
FILE: pkg/reconciler/clusterimagepolicy/clusterimagepolicy.go
type Reconciler (line 53) | type Reconciler struct
method ReconcileKind (line 69) | func (r *Reconciler) ReconcileKind(ctx context.Context, cip *v1alpha1....
method FinalizeKind (line 138) | func (r *Reconciler) FinalizeKind(ctx context.Context, cip *v1alpha1.C...
method handleCIPError (line 158) | func (r *Reconciler) handleCIPError(ctx context.Context, cipName strin...
method inlinePublicKeys (line 173) | func (r *Reconciler) inlinePublicKeys(ctx context.Context, cip *v1alph...
method inlineAndTrackSecret (line 233) | func (r *Reconciler) inlineAndTrackSecret(ctx context.Context, cip *v1...
method inlinePolicies (line 266) | func (r *Reconciler) inlinePolicies(ctx context.Context, cip *v1alpha1...
method inlinePolicyURL (line 302) | func (r *Reconciler) inlinePolicyURL(ctx context.Context, policyRef *v...
method inlineAndTrackConfigMap (line 331) | func (r *Reconciler) inlineAndTrackConfigMap(ctx context.Context, cip ...
method removeCIPEntry (line 359) | func (r *Reconciler) removeCIPEntry(ctx context.Context, cm *corev1.Co...
function getKMSPublicKey (line 203) | func getKMSPublicKey(ctx context.Context, keyID string, hashAlgorithm st...
FILE: pkg/reconciler/clusterimagepolicy/clusterimagepolicy_test.go
constant cipName (line 54) | cipName = "test-cip"
constant cipKMSName (line 55) | cipKMSName = "test-kms-cip"
constant testKey (line 56) | testKey = "test-cip"
constant cipName2 (line 57) | cipName2 = "test-cip-2"
constant testKey2 (line 58) | testKey2 = "test-cip-2"
constant keySecretName (line 59) | keySecretName = "publickey-key"
constant keylessSecretName (line 60) | keylessSecretName = "publickey-keyless"
constant glob (line 61) | glob = "ghcr.io/example/*"
constant fakeKMSKey (line 62) | fakeKMSKey = "fakekms://keycip"
constant policyCMName (line 63) | policyCMName = "policy-configmap"
constant policyCMKey (line 64) | policyCMKey = "policy-configmap-key"
constant testPolicy (line 66) | testPolicy = `predicateType: "cosign.sigstore.dev/attestation/v1"
constant testPolicySHA256 (line 71) | testPolicySHA256 = "c694cc08146070e84751ce7416d4befd70ea779071f457df8127...
constant testPolicySHA256Bad (line 74) | testPolicySHA256Bad = "c694cc08146070e84751ce7416d4befd70ea779071f457df8...
constant validPublicKeyData (line 77) | validPublicKeyData = `-----BEGIN PUBLIC KEY-----
constant replaceCIPPatch (line 83) | replaceCIPPatch = `[{"op":"replace","path":"/data/test-cip","value":"{\"...
constant addCIP2Patch (line 86) | addCIP2Patch = `[{"op":"add","path":"/data/test-cip-2","value":"{\"uid\"...
constant removeDataPatch (line 90) | removeDataPatch = `[{"op":"remove","path":"/data"}]`
constant removeSingleEntryKeyPatch (line 94) | removeSingleEntryKeyPatch = `[{"op":"remove","path":"/data/test-cip"}]`
constant removeSingleEntryKeylessPatch (line 98) | removeSingleEntryKeylessPatch = `[{"op":"remove","path":"/data/test-cip-...
constant inlinedPolicyPatch (line 101) | inlinedPolicyPatch = `[{"op":"replace","path":"/data/test-cip","value":"...
constant inlinedSecretKeylessPatch (line 104) | inlinedSecretKeylessPatch = `[{"op":"replace","path":"/data/test-cip-2",...
constant inlinedSecretKeylessMatchResourcePatch (line 107) | inlinedSecretKeylessMatchResourcePatch = `[{"op":"replace","path":"/data...
constant inlinedSecretKeylessMatchLabelsPatch (line 110) | inlinedSecretKeylessMatchLabelsPatch = `[{"op":"replace","path":"/data/t...
constant replaceCIPKeySourcePatch (line 112) | replaceCIPKeySourcePatch = `[{"op":"replace","path":"/data/test-cip","va...
constant replaceCIPKeySourceWithoutOCIPatch (line 114) | replaceCIPKeySourceWithoutOCIPatch = `[{"op":"replace","path":"/data/tes...
constant resourceVersion (line 116) | resourceVersion = "0123456789"
constant uid (line 117) | uid = "test-uid"
constant statusUpdateFailureFmt (line 119) | statusUpdateFailureFmt = `Failed to update status for "test-cip": invali...
constant invalidSHAMsg (line 122) | invalidSHAMsg = "failed to check sha256sum from policy remote: c694cc081...
function TestReconcile (line 131) | func TestReconcile(t *testing.T) {
function makeSecret (line 1439) | func makeSecret(name, secret string) *corev1.Secret {
function makePolicyConfigMap (line 1451) | func makePolicyConfigMap(name string, data map[string]string) *corev1.Co...
function makeEmptyConfigMap (line 1461) | func makeEmptyConfigMap() *corev1.ConfigMap {
function makeConfigMap (line 1470) | func makeConfigMap() *corev1.ConfigMap {
function makeConfigMapWithWarn (line 1482) | func makeConfigMapWithWarn() *corev1.ConfigMap {
function patchKMS (line 1494) | func patchKMS(ctx context.Context, t *testing.T, kmsKey, hashAlgorithm s...
function makeDifferentConfigMap (line 1512) | func makeDifferentConfigMap() *corev1.ConfigMap {
function makeConfigMapWithTwoEntries (line 1526) | func makeConfigMapWithTwoEntries() *corev1.ConfigMap {
function makePatch (line 1539) | func makePatch(patch string) clientgotesting.PatchActionImpl {
function patchFinalizers (line 1549) | func patchFinalizers(namespace, name string) clientgotesting.PatchAction...
function patchRemoveFinalizers (line 1558) | func patchRemoveFinalizers(namespace, name string) clientgotesting.Patch...
FILE: pkg/reconciler/clusterimagepolicy/controller.go
constant finalizerName (line 44) | finalizerName = "clusterimagepolicies.policy.sigstore.dev"
type policyResyncPeriodKey (line 46) | type policyResyncPeriodKey struct
function NewController (line 49) | func NewController(
function ToContext (line 122) | func ToContext(ctx context.Context, duration time.Duration) context.Cont...
function FromContextOrDefaults (line 128) | func FromContextOrDefaults(ctx context.Context) time.Duration {
FILE: pkg/reconciler/clusterimagepolicy/controller_test.go
function TestNew (line 33) | func TestNew(t *testing.T) {
function TestContextDuration (line 43) | func TestContextDuration(t *testing.T) {
FILE: pkg/reconciler/clusterimagepolicy/resources/configmap.go
function NewConfigMap (line 29) | func NewConfigMap(ns, name, cipName string, cip *webhookcip.ClusterImage...
function CreatePatch (line 51) | func CreatePatch(ns, name, cipName string, cm *corev1.ConfigMap, cip *we...
function CreateRemovePatch (line 73) | func CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, cipName st...
function marshal (line 88) | func marshal(spec *webhookcip.ClusterImagePolicy) (string, error) {
FILE: pkg/reconciler/testing/v1alpha1/clusterimagepolicy.go
constant finalizerName (line 26) | finalizerName = "clusterimagepolicies.policy.sigstore.dev"
type ClusterImagePolicyOption (line 29) | type ClusterImagePolicyOption
function NewClusterImagePolicy (line 32) | func NewClusterImagePolicy(name string, o ...ClusterImagePolicyOption) *...
function WithUID (line 46) | func WithUID(uid string) ClusterImagePolicyOption {
function WithResourceVersion (line 52) | func WithResourceVersion(resourceVersion string) ClusterImagePolicyOption {
function WithClusterImagePolicyDeletionTimestamp (line 58) | func WithClusterImagePolicyDeletionTimestamp(cip *v1alpha1.ClusterImageP...
function WithImagePattern (line 63) | func WithImagePattern(ip v1alpha1.ImagePattern) ClusterImagePolicyOption {
function WithAuthority (line 69) | func WithAuthority(a v1alpha1.Authority) ClusterImagePolicyOption {
function WithPolicy (line 75) | func WithPolicy(p *v1alpha1.Policy) ClusterImagePolicyOption {
function WithMatch (line 81) | func WithMatch(a v1alpha1.MatchResource) ClusterImagePolicyOption {
function WithMode (line 87) | func WithMode(m string) ClusterImagePolicyOption {
function WithFinalizer (line 93) | func WithFinalizer(cip *v1alpha1.ClusterImagePolicy) {
function WithInitConditions (line 97) | func WithInitConditions(cip *v1alpha1.ClusterImagePolicy) {
function WithObservedGeneration (line 100) | func WithObservedGeneration(gen int64) ClusterImagePolicyOption {
function MarkReady (line 106) | func MarkReady(cip *v1alpha1.ClusterImagePolicy) {
function WithMarkInlineKeysOk (line 114) | func WithMarkInlineKeysOk(cip *v1alpha1.ClusterImagePolicy) {
function WithMarkInlineKeysFailed (line 118) | func WithMarkInlineKeysFailed(msg string) ClusterImagePolicyOption {
function WithMarkInlinePoliciesOk (line 124) | func WithMarkInlinePoliciesOk(cip *v1alpha1.ClusterImagePolicy) {
function WithMarkInlinePoliciesFailed (line 127) | func WithMarkInlinePoliciesFailed(msg string) ClusterImagePolicyOption {
function WithMarkCMUpdateFailed (line 133) | func WithMarkCMUpdateFailed(msg string) ClusterImagePolicyOption {
FILE: pkg/reconciler/testing/v1alpha1/factory.go
constant maxEventBufferSize (line 52) | maxEventBufferSize = 10
type Ctor (line 56) | type Ctor
function MakeFactory (line 59) | func MakeFactory(ctor Ctor, unstructured bool, logger *zap.SugaredLogger...
function ToUnstructured (line 135) | func ToUnstructured(t *testing.T, objs []runtime.Object) (us []runtime.O...
type key (line 165) | type key struct
function AssertTrackingSecret (line 171) | func AssertTrackingSecret(namespace, name string) func(*testing.T, *reco...
function AssertTrackingConfigMap (line 177) | func AssertTrackingConfigMap(namespace, name string) func(*testing.T, *r...
function AssertTrackingObject (line 183) | func AssertTrackingObject(gvk schema.GroupVersionKind, namespace, name s...
FILE: pkg/reconciler/testing/v1alpha1/listers.go
type Listers (line 34) | type Listers struct
method indexerFor (line 67) | func (l *Listers) indexerFor(obj runtime.Object) cache.Indexer {
method GetKubeObjects (line 71) | func (l *Listers) GetKubeObjects() []runtime.Object {
method GetCosignObjects (line 75) | func (l *Listers) GetCosignObjects() []runtime.Object {
method GetAllObjects (line 79) | func (l *Listers) GetAllObjects() []runtime.Object {
method GetClusterImagePolicyLister (line 85) | func (l *Listers) GetClusterImagePolicyLister() policylisters.ClusterI...
method GetTrustRootLister (line 89) | func (l *Listers) GetTrustRootLister() policylisters.TrustRootLister {
method GetSecretLister (line 93) | func (l *Listers) GetSecretLister() corev1listers.SecretLister {
method GetConfigMapLister (line 97) | func (l *Listers) GetConfigMapLister() corev1listers.ConfigMapLister {
function NewScheme (line 38) | func NewScheme() *runtime.Scheme {
function NewListers (line 49) | func NewListers(objs []runtime.Object) Listers {
FILE: pkg/reconciler/testing/v1alpha1/trustroot.go
constant finalizerNameTrustRoot (line 27) | finalizerNameTrustRoot = "trustroots.policy.sigstore.dev"
type TrustRootOption (line 30) | type TrustRootOption
function NewTrustRoot (line 33) | func NewTrustRoot(name string, o ...TrustRootOption) *v1alpha1.TrustRoot {
function WithTrustRootUID (line 47) | func WithTrustRootUID(uid string) TrustRootOption {
function WithTrustRootResourceVersion (line 53) | func WithTrustRootResourceVersion(resourceVersion string) TrustRootOption {
function WithTrustRootDeletionTimestamp (line 59) | func WithTrustRootDeletionTimestamp(tr *v1alpha1.TrustRoot) {
function WithTrustRootFinalizer (line 64) | func WithTrustRootFinalizer(tr *v1alpha1.TrustRoot) {
function WithSigstoreKeys (line 72) | func WithSigstoreKeys(sk map[string]string) TrustRootOption {
function WithRepository (line 107) | func WithRepository(targets string, root, repository []byte, trustedRoot...
function WithInitConditionsTrustRoot (line 118) | func WithInitConditionsTrustRoot(tr *v1alpha1.TrustRoot) {
function WithObservedGenerationTrustRoot (line 121) | func WithObservedGenerationTrustRoot(gen int64) TrustRootOption {
function MarkReadyTrustRoot (line 127) | func MarkReadyTrustRoot(tr *v1alpha1.TrustRoot) {
function WithMarkInlineKeysOkTrustRoot (line 134) | func WithMarkInlineKeysOkTrustRoot(tr *v1alpha1.TrustRoot) {
function WithMarkInlineKeysFailedTrustRoot (line 138) | func WithMarkInlineKeysFailedTrustRoot(msg string) TrustRootOption {
function WithMarkCMUpdateFailedTrustRoot (line 144) | func WithMarkCMUpdateFailedTrustRoot(msg string) TrustRootOption {
FILE: pkg/reconciler/trustroot/controller.go
constant FinalizerName (line 38) | FinalizerName = "trustroots.policy.sigstore.dev"
function NewController (line 41) | func NewController(
FILE: pkg/reconciler/trustroot/controller_test.go
function TestNew (line 31) | func TestNew(t *testing.T) {
FILE: pkg/reconciler/trustroot/resources/configmap.go
function NewConfigMap (line 28) | func NewConfigMap(ns, name, trName string, sk *config.SigstoreKeys) (*co...
function CreatePatch (line 48) | func CreatePatch(ns, name, tkName string, cm *corev1.ConfigMap, sk *conf...
function CreateRemovePatch (line 70) | func CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, tkName str...
function Marshal (line 85) | func Marshal(spec *config.SigstoreKeys) (string, error) {
FILE: pkg/reconciler/trustroot/testdata/testdata.go
function Get (line 27) | func Get(filename string) []byte {
FILE: pkg/reconciler/trustroot/trustroot.go
type Reconciler (line 50) | type Reconciler struct
method ReconcileKind (line 60) | func (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1a...
method FinalizeKind (line 152) | func (r *Reconciler) FinalizeKind(ctx context.Context, trustroot *v1al...
method getSigstoreKeysFromMirrorFS (line 174) | func (r *Reconciler) getSigstoreKeysFromMirrorFS(ctx context.Context, ...
method getSigstoreKeysFromRemote (line 188) | func (r *Reconciler) getSigstoreKeysFromRemote(ctx context.Context, re...
method removeTrustRootEntry (line 203) | func (r *Reconciler) removeTrustRootEntry(ctx context.Context, cm *cor...
function pemToKeyAndID (line 218) | func pemToKeyAndID(pem []byte) (crypto.PublicKey, string, error) {
type customMetadata (line 232) | type customMetadata struct
type sigstoreCustomMetadata (line 238) | type sigstoreCustomMetadata struct
function GetSigstoreKeysFromTuf (line 245) | func GetSigstoreKeysFromTuf(ctx context.Context, tufClient *tuf.TUFClien...
function genTransparencyLogInstance (line 322) | func genTransparencyLogInstance(baseURL string, pkBytes []byte) (*config...
FILE: pkg/reconciler/trustroot/trustroot_test.go
constant trName (line 59) | trName = "test-trustroot"
constant testKey (line 60) | testKey = "test-trustroot"
constant tkName2 (line 61) | tkName2 = "test-trustroot-2"
constant testKey2 (line 62) | testKey2 = "test-trustroot-2"
constant resourceVersion (line 64) | resourceVersion = "0123456789"
constant uid (line 65) | uid = "test-uid"
constant uid2 (line 66) | uid2 = "test-uid-2"
constant replacePatchFmtString (line 118) | replacePatchFmtString = `[{"op":"replace","path":"/data/%s","value":"%s"}]`
constant removePatchFmtString (line 119) | removePatchFmtString = `[{"op":"remove","path":"/data/%s"}]`
function canonicalizeSigstoreKeys (line 140) | func canonicalizeSigstoreKeys(in []byte) []byte {
function TestReconcile (line 186) | func TestReconcile(t *testing.T) {
function makeConfigMapWithSigstoreKeys (line 437) | func makeConfigMapWithSigstoreKeys() *corev1.ConfigMap {
function makeConfigMapWithMirrorFS (line 464) | func makeConfigMapWithMirrorFS(entry string) *corev1.ConfigMap {
function makeDifferentConfigMap (line 476) | func makeDifferentConfigMap() *corev1.ConfigMap {
function makeConfigMapWithTwoEntries (line 490) | func makeConfigMapWithTwoEntries() *corev1.ConfigMap {
function makePatch (line 507) | func makePatch(fmtstr, key, patch string) clientgotesting.PatchActionImpl {
function makeRemovePatch (line 520) | func makeRemovePatch(key string) clientgotesting.PatchActionImpl {
function patchFinalizers (line 530) | func patchFinalizers(namespace, name string) clientgotesting.PatchAction...
function patchRemoveFinalizers (line 539) | func patchRemoveFinalizers(namespace, name string) clientgotesting.Patch...
function TestConvertSigstoreKeys (line 553) | func TestConvertSigstoreKeys(t *testing.T) {
FILE: pkg/tuf/context.go
type trustrootResyncPeriodKey (line 25) | type trustrootResyncPeriodKey struct
function ToContext (line 29) | func ToContext(ctx context.Context, duration time.Duration) context.Cont...
function FromContextOrDefaults (line 35) | func FromContextOrDefaults(ctx context.Context) time.Duration {
FILE: pkg/tuf/context_test.go
function TestContextDuration (line 26) | func TestContextDuration(t *testing.T) {
FILE: pkg/tuf/repo.go
function CompressFS (line 51) | func CompressFS(fsys fs.FS, buf io.Writer, skipDirs map[string]bool) err...
function Uncompress (line 105) | func Uncompress(src io.Reader, dst string) error {
function sanitizeArchivePath (line 167) | func sanitizeArchivePath(d, t string) (v string, err error) {
function UncompressMemFS (line 178) | func UncompressMemFS(src io.Reader, stripPrefix string) (fs.FS, error) {
type fsFetcher (line 240) | type fsFetcher struct
method DownloadFile (line 245) | func (f *fsFetcher) DownloadFile(urlPath string, maxLength int64, time...
type TUFClient (line 266) | type TUFClient struct
method GetTarget (line 280) | func (c *TUFClient) GetTarget(target string) ([]byte, error) {
method GetTopLevelTargets (line 288) | func (c *TUFClient) GetTopLevelTargets() (map[string]*metadata.TargetF...
function ClientFromSerializedMirror (line 301) | func ClientFromSerializedMirror(_ context.Context, repo, rootJSON []byte...
function ClientFromRemote (line 331) | func ClientFromRemote(_ context.Context, mirror string, rootJSON []byte,...
function newRawUpdater (line 357) | func newRawUpdater(metadataURL string, rootJSON []byte, targetsURL strin...
function GetTrustedRoot (line 384) | func GetTrustedRoot(ctx context.Context) (*root.TrustedRoot, error) {
FILE: pkg/tuf/repo_test.go
constant fulcioRootCert (line 37) | fulcioRootCert = `-----BEGIN CERTIFICATE-----
constant ctlogPublicKey (line 52) | ctlogPublicKey = `-----BEGIN RSA PUBLIC KEY-----
constant rekorPublicKey (line 66) | rekorPublicKey = `-----BEGIN PUBLIC KEY-----
constant validRepository (line 73) | validRepository = `H4sIAAAAAAAA/+xcW1MbOdPOtX+Fi9t8G0stqSWlai9m7AEMGLBjj...
constant rootJSON (line 83) | rootJSON = `ewogInNpZ25lZCI6IHsKICAiX3R5cGUiOiAicm9vdCIsCiAgInNwZWNfdmVy...
function TestCompressUncompressFS (line 86) | func TestCompressUncompressFS(t *testing.T) {
function createRepo (line 134) | func createRepo(ctx context.Context, files map[string][]byte) (tuf.Local...
function writeStagedTarget (line 195) | func writeStagedTarget(dir, path string, data []byte) error {
function TestFsFetcherNotFound (line 204) | func TestFsFetcherNotFound(t *testing.T) {
function TestFsFetcherMaxLength (line 230) | func TestFsFetcherMaxLength(t *testing.T) {
function TestDownloadTargetFromSerializedMirror (line 253) | func TestDownloadTargetFromSerializedMirror(t *testing.T) {
function TestClientFromSerializedMirror (line 284) | func TestClientFromSerializedMirror(t *testing.T) {
function TestClientFromRemoteMirror (line 306) | func TestClientFromRemoteMirror(t *testing.T) {
FILE: pkg/webhook/cache.go
type cacheKey (line 22) | type cacheKey struct
type CacheResult (line 28) | type CacheResult struct
function FromContext (line 35) | func FromContext(ctx context.Context) ResultCache {
function ToContext (line 43) | func ToContext(ctx context.Context, cache ResultCache) context.Context {
type ResultCache (line 47) | type ResultCache interface
FILE: pkg/webhook/clusterimagepolicy/clusterimagepolicy_types.go
type ClusterImagePolicy (line 44) | type ClusterImagePolicy struct
type Authority (line 66) | type Authority struct
method UnmarshalJSON (line 208) | func (a *Authority) UnmarshalJSON(data []byte) error {
method SourceSignaturePullSecretsOpts (line 242) | func (a *Authority) SourceSignaturePullSecretsOpts(ctx context.Context...
type KeyRef (line 95) | type KeyRef struct
method UnmarshalJSON (line 174) | func (k *KeyRef) UnmarshalJSON(data []byte) error {
type KeylessRef (line 112) | type KeylessRef struct
type StaticRef (line 127) | type StaticRef struct
type AttestationPolicy (line 132) | type AttestationPolicy struct
type RFC3161Timestamp (line 166) | type RFC3161Timestamp struct
function ConvertClusterImagePolicyV1alpha1ToWebhook (line 274) | func ConvertClusterImagePolicyV1alpha1ToWebhook(in *v1alpha1.ClusterImag...
function convertAuthorityV1Alpha1ToWebhook (line 314) | func convertAuthorityV1Alpha1ToWebhook(in v1alpha1.Authority) *Authority {
function convertRFC3161TimestampV1Alpha1ToWebhook (line 334) | func convertRFC3161TimestampV1Alpha1ToWebhook(in *v1alpha1.RFC3161Timest...
function convertAttestationsV1Alpha1ToWebhook (line 344) | func convertAttestationsV1Alpha1ToWebhook(in []v1alpha1.Attestation) []A...
function convertKeyRefV1Alpha1ToWebhook (line 372) | func convertKeyRefV1Alpha1ToWebhook(in *v1alpha1.KeyRef) *KeyRef {
function convertKeylessRefV1Alpha1ToWebhook (line 392) | func convertKeylessRefV1Alpha1ToWebhook(in *v1alpha1.KeylessRef) *Keyles...
function convertStaticRefV1Alpha1ToWebhook (line 408) | func convertStaticRefV1Alpha1ToWebhook(in *v1alpha1.StaticRef) *StaticRef {
FILE: pkg/webhook/nocache.go
type NoCache (line 23) | type NoCache struct
method Get (line 26) | func (nc *NoCache) Get(ctx context.Context, image, uid, resourceVersio...
method Set (line 30) | func (nc *NoCache) Set(ctx context.Context, image, name, uid, resource...
FILE: pkg/webhook/registryauth/azure/acrhelper.go
type ACRHelper (line 31) | type ACRHelper struct
method Add (line 37) | func (a ACRHelper) Add(_ *credentials.Credentials) error {
method Delete (line 41) | func (a ACRHelper) Delete(_ string) error {
method Get (line 45) | func (a ACRHelper) Get(registryURL string) (string, string, error) {
method List (line 86) | func (a ACRHelper) List() (map[string]string, error) {
function NewACRHelper (line 33) | func NewACRHelper() credentials.Helper {
function isACR (line 90) | func isACR(registryURL string) bool {
FILE: pkg/webhook/registryauth/registryauth.go
function NewK8sKeychain (line 47) | func NewK8sKeychain(ctx context.Context, client kubernetes.Interface, op...
FILE: pkg/webhook/validation.go
function valid (line 39) | func valid(ctx context.Context, ref name.Reference, keys []crypto.Public...
function validSignatures (line 73) | func validSignatures(ctx context.Context, ref name.Reference, checkOpts ...
function validAttestations (line 79) | func validAttestations(ctx context.Context, ref name.Reference, checkOpt...
function discoverAttestationsOCI11 (line 92) | func discoverAttestationsOCI11(ctx context.Context, ref name.Reference, ...
function processAttestationArtifact (line 121) | func processAttestationArtifact(result v1.Descriptor, repository name.Re...
function parsePems (line 173) | func parsePems(b []byte) []*pem.Block {
FILE: pkg/webhook/validator.go
type Validator (line 64) | type Validator struct
method ValidatePodScalable (line 149) | func (v *Validator) ValidatePodScalable(ctx context.Context, ps *polic...
method ValidatePodSpecable (line 182) | func (v *Validator) ValidatePodSpecable(ctx context.Context, wp *duckv...
method ValidatePod (line 208) | func (v *Validator) ValidatePod(ctx context.Context, p *duckv1.Pod) *a...
method ValidateCronJob (line 233) | func (v *Validator) ValidateCronJob(ctx context.Context, c *duckv1.Cro...
method validatePodSpec (line 259) | func (v *Validator) validatePodSpec(ctx context.Context, namespace, ki...
method ResolvePodScalable (line 973) | func (v *Validator) ResolvePodScalable(ctx context.Context, ps *policy...
method ResolvePodSpecable (line 998) | func (v *Validator) ResolvePodSpecable(ctx context.Context, wp *duckv1...
method ResolvePod (line 1018) | func (v *Validator) ResolvePod(ctx context.Context, p *duckv1.Pod) {
method ResolveCronJob (line 1037) | func (v *Validator) ResolveCronJob(ctx context.Context, c *duckv1.Cron...
method resolvePodSpec (line 1059) | func (v *Validator) resolvePodSpec(ctx context.Context, ps *corev1.Pod...
method validateContainerImage (line 1158) | func (v *Validator) validateContainerImage(ctx context.Context, contai...
function NewValidator (line 66) | func NewValidator(_ context.Context) *Validator {
function isDeletedOrStatusUpdate (line 73) | func isDeletedOrStatusUpdate(ctx context.Context, deletionTimestamp *met...
type includeSpecKey (line 79) | type includeSpecKey struct
function IncludeSpec (line 86) | func IncludeSpec(ctx context.Context, spec interface{}) context.Context {
function GetIncludeSpec (line 95) | func GetIncludeSpec(ctx context.Context) interface{} {
type includeObjectMetaKey (line 101) | type includeObjectMetaKey struct
type includeTypeMetaKey (line 105) | type includeTypeMetaKey struct
function IncludeObjectMeta (line 112) | func IncludeObjectMeta(ctx context.Context, meta interface{}) context.Co...
function GetIncludeObjectMeta (line 121) | func GetIncludeObjectMeta(ctx context.Context) interface{} {
function IncludeTypeMeta (line 130) | func IncludeTypeMeta(ctx context.Context, meta interface{}) context.Cont...
function GetIncludeTypeMeta (line 141) | func GetIncludeTypeMeta(ctx context.Context) interface{} {
function setNoMatchingPoliciesError (line 360) | func setNoMatchingPoliciesError(ctx context.Context, image, field string...
function validatePolicies (line 395) | func validatePolicies(ctx context.Context, namespace string, ref name.Re...
function asFieldError (line 465) | func asFieldError(warn bool, err error) *apis.FieldError {
function ValidatePolicy (line 481) | func ValidatePolicy(ctx context.Context, namespace string, ref name.Refe...
function ociSignatureToPolicySignature (line 646) | func ociSignatureToPolicySignature(ctx context.Context, sigs []oci.Signa...
function signatureID (line 688) | func signatureID(sig oci.Signature) (string, error) {
type attestation (line 719) | type attestation struct
function attestationToPolicyAttestations (line 727) | func attestationToPolicyAttestations(ctx context.Context, atts []attesta...
function ValidatePolicySignaturesForAuthority (line 780) | func ValidatePolicySignaturesForAuthority(ctx context.Context, ref name....
function ValidatePolicyAttestationsForAuthority (line 832) | func ValidatePolicyAttestationsForAuthority(ctx context.Context, ref nam...
function getNamespace (line 1132) | func getNamespace(ctx context.Context, namespace string) string {
function errorsToFieldErrors (line 1191) | func errorsToFieldErrors(image, field string, index int, fieldErrors map...
function refOrFieldError (line 1234) | func refOrFieldError(image, field string, index int) *apis.FieldError {
type configFileResult (line 1252) | type configFileResult struct
function getConfigs (line 1259) | func getConfigs(ctx context.Context, ref name.Reference, options ...remo...
function normalizeArchitecture (line 1341) | func normalizeArchitecture(cf *v1.ConfigFile) string {
function checkOptsFromAuthority (line 1352) | func checkOptsFromAuthority(ctx context.Context, authority webhookcip.Au...
function sigstoreKeysFromContext (line 1497) | func sigstoreKeysFromContext(ctx context.Context, trustRootRef string) (...
function fulcioCertsFromAuthority (line 1516) | func fulcioCertsFromAuthority(ctx context.Context, keylessRef *webhookci...
function rekorClientAndKeysFromAuthority (line 1590) | func rekorClientAndKeysFromAuthority(ctx context.Context, authority webh...
function rekorKeysFromTrustRef (line 1640) | func rekorKeysFromTrustRef(ctx context.Context, trustRootRef string) (*c...
function splitPEMCertificateChain (line 1675) | func splitPEMCertificateChain(pem []byte) (leaves, intermediates, roots ...
FILE: pkg/webhook/validator_result.go
type PolicyResult (line 36) | type PolicyResult struct
type AuthorityMatch (line 76) | type AuthorityMatch struct
type PolicySignature (line 93) | type PolicySignature struct
type PolicyAttestation (line 111) | type PolicyAttestation struct
type GithubExtensions (line 131) | type GithubExtensions struct
FILE: pkg/webhook/validator_test.go
constant fulcioRootCert (line 74) | fulcioRootCert = "-----BEGIN CERTIFICATE-----\nMIICNzCCAd2gAwIBAgITPLBoB...
constant rekorResponse (line 75) | rekorResponse = "bad response"
constant authorityKeyCosignPubString (line 78) | authorityKeyCosignPubString = `-----BEGIN PUBLIC KEY-----
constant certChain (line 83) | certChain = `-----BEGIN CERTIFICATE-----
constant rekorPublicKey (line 120) | rekorPublicKey = `-----BEGIN PUBLIC KEY-----
constant rekorLogID (line 126) | rekorLogID = "0bac0fddd0c15fbc46f8b1bf51c2b57676a9f262294fe13417d85602e7...
constant ctfePublicKey (line 128) | ctfePublicKey = `-----BEGIN PUBLIC KEY-----
constant ctfeLogID (line 134) | ctfeLogID = "39d1c085f7d5f3fe7a0de9e52a3ead14186891e52a9269d90de7990a30b...
function TestValidatePodSpec (line 137) | func TestValidatePodSpec(t *testing.T) {
function TestValidateCronJob (line 843) | func TestValidateCronJob(t *testing.T) {
function TestResolvePodSpec (line 1005) | func TestResolvePodSpec(t *testing.T) {
function TestResolveCronJob (line 1316) | func TestResolveCronJob(t *testing.T) {
function TestValidatePolicy (line 1539) | func TestValidatePolicy(t *testing.T) {
function TestValidatePolicyAttestation (line 1872) | func TestValidatePolicyAttestation(t *testing.T) {
function validateErrors (line 1954) | func validateErrors(t *testing.T, wantErr []string, got []error) {
function TestValidatePodSpecNonDefaultNamespace (line 1967) | func TestValidatePodSpecNonDefaultNamespace(t *testing.T) {
function TestValidatePodSpecCancelled (line 2730) | func TestValidatePodSpecCancelled(t *testing.T) {
function TestValidatePolicyCancelled (line 2795) | func TestValidatePolicyCancelled(t *testing.T) {
function TestValidatePoliciesCancelled (line 2829) | func TestValidatePoliciesCancelled(t *testing.T) {
function TestPolicyControllerConfigNoMatchPolicy (line 2862) | func TestPolicyControllerConfigNoMatchPolicy(t *testing.T) {
function TestFulcioCertsFromAuthority (line 2958) | func TestFulcioCertsFromAuthority(t *testing.T) {
function TestRekorClientAndKeysFromAuthority (line 3082) | func TestRekorClientAndKeysFromAuthority(t *testing.T) {
function TestCheckOptsFromAuthority (line 3195) | func TestCheckOptsFromAuthority(t *testing.T) {
function TestSignatureID (line 3502) | func TestSignatureID(t *testing.T) {
function mustRead (line 3530) | func mustRead(t *testing.T, path string) []byte {
function newStaticSig (line 3539) | func newStaticSig(t *testing.T, payload []byte, cert []byte) oci.Signatu...
function TestValidAttestationsOCI11Enabled_DISABLED (line 3554) | func TestValidAttestationsOCI11Enabled_DISABLED(t *testing.T) {
function TestValidAttestationsOCI11Fallback (line 3626) | func TestValidAttestationsOCI11Fallback(t *testing.T) {
function TestValidAttestationsOCI11Disabled (line 3671) | func TestValidAttestationsOCI11Disabled(t *testing.T) {
function TestDiscoverAttestationsOCI11NoAttestations (line 3716) | func TestDiscoverAttestationsOCI11NoAttestations(t *testing.T) {
function TestDiscoverAttestationsOCI11ResolveDigestFails (line 3760) | func TestDiscoverAttestationsOCI11ResolveDigestFails(t *testing.T) {
function TestDiscoverAttestationsOCI11ReferrersFails (line 3785) | func TestDiscoverAttestationsOCI11ReferrersFails(t *testing.T) {
type mockSignedImage (line 3817) | type mockSignedImage struct
method Digest (line 3821) | func (m *mockSignedImage) Digest() (v1.Hash, error) {
method Signatures (line 3825) | func (m *mockSignedImage) Signatures() (oci.Signatures, error) {
method Attestations (line 3829) | func (m *mockSignedImage) Attestations() (oci.Signatures, error) {
method Attachment (line 3833) | func (m *mockSignedImage) Attachment(name string) (oci.File, error) {
method Layers (line 3837) | func (m *mockSignedImage) Layers() ([]v1.Layer, error) {
method ConfigName (line 3841) | func (m *mockSignedImage) ConfigName() (v1.Hash, error) {
method ConfigFile (line 3845) | func (m *mockSignedImage) ConfigFile() (*v1.ConfigFile, error) {
method RawConfigFile (line 3849) | func (m *mockSignedImage) RawConfigFile() ([]byte, error) {
method Manifest (line 3853) | func (m *mockSignedImage) Manifest() (*v1.Manifest, error) {
method RawManifest (line 3857) | func (m *mockSignedImage) RawManifest() ([]byte, error) {
method LayerByDigest (line 3861) | func (m *mockSignedImage) LayerByDigest(hash v1.Hash) (v1.Layer, error) {
method LayerByDiffID (line 3865) | func (m *mockSignedImage) LayerByDiffID(hash v1.Hash) (v1.Layer, error) {
method MediaType (line 3869) | func (m *mockSignedImage) MediaType() (v1types.MediaType, error) {
method Size (line 3873) | func (m *mockSignedImage) Size() (int64, error) {
type mockLayer (line 3877) | type mockLayer struct
method Digest (line 3881) | func (m *mockLayer) Digest() (v1.Hash, error) {
method DiffID (line 3885) | func (m *mockLayer) DiffID() (v1.Hash, error) {
method Compressed (line 3889) | func (m *mockLayer) Compressed() (io.ReadCloser, error) {
method Uncompressed (line 3893) | func (m *mockLayer) Uncompressed() (io.ReadCloser, error) {
method Size (line 3897) | func (m *mockLayer) Size() (int64, error) {
method MediaType (line 3901) | func (m *mockLayer) MediaType() (v1types.MediaType, error) {
function TestProcessAttestationArtifact (line 3905) | func TestProcessAttestationArtifact(t *testing.T) {
function TestDiscoverAttestationsOCI11SuccessfulDiscovery (line 4031) | func TestDiscoverAttestationsOCI11SuccessfulDiscovery(t *testing.T) {
function TestDiscoverAttestationsOCI11MixedArtifacts (line 4091) | func TestDiscoverAttestationsOCI11MixedArtifacts(t *testing.T) {
function TestDiscoverAttestationsOCI11PartialProcessingFailure (line 4162) | func TestDiscoverAttestationsOCI11PartialProcessingFailure(t *testing.T) {
FILE: test/cert_utils.go
function createCertificate (line 52) | func createCertificate(template *x509.Certificate, parent *x509.Certific...
function GenerateRootCa (line 65) | func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) {
function GenerateSubordinateCa (line 92) | func GenerateSubordinateCa(rootTemplate *x509.Certificate, rootPriv cryp...
function GenerateLeafCert (line 120) | func GenerateLeafCert(subject string, oidcIssuer string, parentTemplate ...
function GenerateLeafCertWithSubjectAlternateNames (line 150) | func GenerateLeafCertWithSubjectAlternateNames(dnsNames []string, emailA...
FILE: test/cmd/getoidctoken/main.go
type envConfig (line 27) | type envConfig struct
function tokenWriter (line 31) | func tokenWriter(filename string) func(http.ResponseWriter, *http.Reques...
function getToken (line 36) | func getToken(tokenFile string, w http.ResponseWriter, _ *http.Request) {
function main (line 50) | func main() {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/errwrap/errwrap.go
type WalkFunc (line 15) | type WalkFunc
type Wrapper (line 24) | type Wrapper interface
function Wrap (line 34) | func Wrap(outer, inner error) error {
function Wrapf (line 49) | func Wrapf(format string, err error) error {
function Contains (line 64) | func Contains(err error, msg string) bool {
function ContainsType (line 71) | func ContainsType(err error, v interface{}) bool {
function Get (line 76) | func Get(err error, msg string) error {
function GetType (line 86) | func GetType(err error, v interface{}) error {
function GetAll (line 98) | func GetAll(err error, msg string) []error {
function GetAllType (line 113) | func GetAllType(err error, v interface{}) []error {
function Walk (line 138) | func Walk(err error, cb WalkFunc) {
type wrappedError (line 163) | type wrappedError struct
method Error (line 168) | func (w *wrappedError) Error() string {
method WrappedErrors (line 172) | func (w *wrappedError) WrappedErrors() []error {
method Unwrap (line 176) | func (w *wrappedError) Unwrap() error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/cleanhttp.go
function DefaultTransport (line 12) | func DefaultTransport() *http.Transport {
function DefaultPooledTransport (line 23) | func DefaultPooledTransport() *http.Transport {
function DefaultClient (line 44) | func DefaultClient() *http.Client {
function DefaultPooledClient (line 54) | func DefaultPooledClient() *http.Client {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp/handlers.go
type HandlerInput (line 10) | type HandlerInput struct
function PrintablePathCheckHandler (line 16) | func PrintablePathCheckHandler(next http.Handler, input *HandlerInput) h...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/append.go
function Append (line 11) | func Append(err error, errs ...error) *Error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/flatten.go
function Flatten (line 5) | func Flatten(err error) error {
function flatten (line 17) | func flatten(err error, flatErr *Error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/format.go
type ErrorFormatFunc (line 10) | type ErrorFormatFunc
function ListFormatFunc (line 14) | func ListFormatFunc(es []error) string {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/group.go
type Group (line 7) | type Group struct
method Go (line 17) | func (g *Group) Go(f func() error) {
method Wait (line 33) | func (g *Group) Wait() *Error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/multierror.go
type Error (line 10) | type Error struct
method Error (line 15) | func (e *Error) Error() string {
method ErrorOrNil (line 28) | func (e *Error) ErrorOrNil() error {
method GoString (line 39) | func (e *Error) GoString() string {
method WrappedErrors (line 50) | func (e *Error) WrappedErrors() []error {
method Unwrap (line 68) | func (e *Error) Unwrap() error {
type chain (line 96) | type chain
method Error (line 99) | func (e chain) Error() string {
method Unwrap (line 105) | func (e chain) Unwrap() error {
method As (line 114) | func (e chain) As(target interface{}) bool {
method Is (line 119) | func (e chain) Is(target error) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/prefix.go
function Prefix (line 15) | func Prefix(err error, prefix string) error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-multierror/sort.go
method Len (line 4) | func (err Error) Len() int {
method Swap (line 9) | func (err Error) Swap(i, j int) {
method Less (line 14) | func (err Error) Less(i, j int) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/cert_error_go119.go
function isCertError (line 11) | func isCertError(err error) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/cert_error_go120.go
function isCertError (line 11) | func isCertError(err error) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/client.go
type ReaderFunc (line 90) | type ReaderFunc
type ResponseHandlerFunc (line 102) | type ResponseHandlerFunc
type LenReader (line 106) | type LenReader interface
type Request (line 111) | type Request struct
method WithContext (line 125) | func (r *Request) WithContext(ctx context.Context) *Request {
method SetResponseHandler (line 134) | func (r *Request) SetResponseHandler(fn ResponseHandlerFunc) {
method BodyBytes (line 144) | func (r *Request) BodyBytes() ([]byte, error) {
method SetBody (line 163) | func (r *Request) SetBody(rawBody interface{}) error {
method WriteTo (line 193) | func (r *Request) WriteTo(w io.Writer) (int64, error) {
function getBodyReaderAndContentLength (line 204) | func getBodyReaderAndContentLength(rawBody interface{}) (ReaderFunc, int...
function FromRequest (line 305) | func FromRequest(r *http.Request) (*Request, error) {
function NewRequest (line 315) | func NewRequest(method, url string, rawBody interface{}) (*Request, erro...
function NewRequestWithContext (line 323) | func NewRequestWithContext(ctx context.Context, method, url string, rawB...
type Logger (line 341) | type Logger interface
type LeveledLogger (line 350) | type LeveledLogger interface
type hookLogger (line 359) | type hookLogger struct
method Printf (line 363) | func (h hookLogger) Printf(s string, args ...interface{}) {
type RequestLogHook (line 371) | type RequestLogHook
type ResponseLogHook (line 378) | type ResponseLogHook
type CheckRetry (line 388) | type CheckRetry
type Backoff (line 393) | type Backoff
type ErrorHandler (line 399) | type ErrorHandler
type PrepareRetry (line 402) | type PrepareRetry
type Client (line 406) | type Client struct
method logger (line 452) | func (c *Client) logger() interface{} {
method Do (line 666) | func (c *Client) Do(req *Request) (*http.Response, error) {
method drainBody (line 846) | func (c *Client) drainBody(body io.ReadCloser) {
method Get (line 867) | func (c *Client) Get(url string) (*http.Response, error) {
method Head (line 881) | func (c *Client) Head(url string) (*http.Response, error) {
method Post (line 897) | func (c *Client) Post(url, bodyType string, body interface{}) (*http.R...
method PostForm (line 914) | func (c *Client) PostForm(url string, data url.Values) (*http.Response...
method StandardClient (line 920) | func (c *Client) StandardClient() *http.Client {
function NewClient (line 440) | func NewClient() *Client {
function DefaultRetryPolicy (line 472) | func DefaultRetryPolicy(ctx context.Context, resp *http.Response, err er...
function ErrorPropagatedRetryPolicy (line 486) | func ErrorPropagatedRetryPolicy(ctx context.Context, resp *http.Response...
function baseRetryPolicy (line 495) | func baseRetryPolicy(resp *http.Response, err error) (bool, error) {
function DefaultBackoff (line 551) | func DefaultBackoff(min, max time.Duration, attemptNum int, resp *http.R...
function parseRetryAfterHeader (line 578) | func parseRetryAfterHeader(headers []string) (time.Duration, bool) {
function LinearJitterBackoff (line 619) | func LinearJitterBackoff(min, max time.Duration, attemptNum int, resp *h...
function RateLimitLinearJitterBackoff (line 647) | func RateLimitLinearJitterBackoff(min, max time.Duration, attemptNum int...
function PassthroughErrorHandler (line 661) | func PassthroughErrorHandler(resp *http.Response, err error, _ int) (*ht...
function Get (line 862) | func Get(url string) (*http.Response, error) {
function Head (line 876) | func Head(url string) (*http.Response, error) {
function Post (line 891) | func Post(url, bodyType string, body interface{}) (*http.Response, error) {
function PostForm (line 908) | func PostForm(url string, data url.Values) (*http.Response, error) {
function redactURL (line 928) | func redactURL(u *url.URL) string {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp/roundtripper.go
type RoundTripper (line 19) | type RoundTripper struct
method init (line 30) | func (rt *RoundTripper) init() {
method RoundTrip (line 37) | func (rt *RoundTripper) RoundTrip(req *http.Request) (*http.Response, ...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/rootcerts.go
type Config (line 17) | type Config struct
function ConfigureTLS (line 32) | func ConfigureTLS(t *tls.Config, c *Config) error {
function LoadCACerts (line 45) | func LoadCACerts(c *Config) (*x509.CertPool, error) {
function LoadCAFile (line 63) | func LoadCAFile(caFile string) (*x509.CertPool, error) {
function AppendCertificate (line 80) | func AppendCertificate(ca []byte) (*x509.CertPool, error) {
function LoadCAPath (line 93) | func LoadCAPath(caPath string) (*x509.CertPool, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/rootcerts_base.go
function LoadSystemCAs (line 10) | func LoadSystemCAs() (*x509.CertPool, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-rootcerts/rootcerts_darwin.go
function LoadSystemCAs (line 12) | func LoadSystemCAs() (*x509.CertPool, error) {
function addCertsFromKeychain (line 25) | func addCertsFromKeychain(pool *x509.CertPool, keychain string) error {
function certKeychains (line 37) | func certKeychains() []string {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/normalize.go
constant genDelims (line 15) | genDelims = ":/?#[]@"
function normalizeHostPort (line 17) | func normalizeHostPort(host string, port string) (string, error) {
function parseUrl (line 43) | func parseUrl(addr string) (string, error) {
function NormalizeAddr (line 77) | func NormalizeAddr(address string) (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/parsepath.go
type options (line 20) | type options struct
type option (line 25) | type option
type optionFunc (line 27) | type optionFunc
function ParsePath (line 46) | func ParsePath(path string, options ...option) (string, error) {
function MustParsePath (line 52) | func MustParsePath(path string, options ...option) (string, error) {
function parsePath (line 56) | func parsePath(path string, mustParse bool, passedOptions []option) (str...
function WithNoTrimSpaces (line 109) | func WithNoTrimSpaces(noTrim bool) option {
function WithErrorOnMissingEnv (line 118) | func WithErrorOnMissingEnv(errorOnMissingEnv bool) option {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/parseutil/parseutil.go
function ParseCapacityString (line 30) | func ParseCapacityString(in interface{}) (uint64, error) {
function ParseDurationSecond (line 105) | func ParseDurationSecond(in interface{}) (time.Duration, error) {
function overflowMul (line 164) | func overflowMul(a time.Duration, b time.Duration) (time.Duration, error) {
function ParseAbsoluteTime (line 175) | func ParseAbsoluteTime(in interface{}) (time.Time, error) {
function ParseInt (line 230) | func ParseInt(in interface{}) (int64, error) {
function ParseDirectIntSlice (line 272) | func ParseDirectIntSlice(in interface{}) ([]int64, error) {
function ParseIntSlice (line 334) | func ParseIntSlice(in interface{}) ([]int64, error) {
function ParseBool (line 365) | func ParseBool(in interface{}) (bool, error) {
function ParseString (line 374) | func ParseString(in interface{}) (string, error) {
function ParseCommaStringSlice (line 383) | func ParseCommaStringSlice(in interface{}) ([]string, error) {
function ParseAddrs (line 410) | func ParseAddrs(addrs interface{}) ([]*sockaddr.SockAddrMarshaler, error) {
function SafeParseIntRange (line 454) | func SafeParseIntRange(in interface{}, min int64, max int64) (int64, err...
function SafeParseInt (line 470) | func SafeParseInt(in interface{}) (int, error) {
function SafeParseIntSliceRange (line 482) | func SafeParseIntSliceRange(in interface{}, minValue int64, maxValue int...
function SafeParseIntSlice (line 508) | func SafeParseIntSlice(in interface{}, elements int) ([]int, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-secure-stdlib/strutil/strutil.go
function StrListContainsGlob (line 16) | func StrListContainsGlob(haystack []string, needle string) bool {
function StrListContains (line 26) | func StrListContains(haystack []string, needle string) bool {
function StrListContainsCaseInsensitive (line 36) | func StrListContainsCaseInsensitive(haystack []string, needle string) bo...
function StrListSubset (line 47) | func StrListSubset(super, sub []string) bool {
function ParseDedupAndSortStrings (line 59) | func ParseDedupAndSortStrings(input string, sep string) []string {
function ParseDedupLowercaseAndSortStrings (line 73) | func ParseDedupLowercaseAndSortStrings(input string, sep string) []string {
function ParseKeyValues (line 85) | func ParseKeyValues(input string, out map[string]string, sep string) err...
function ParseArbitraryKeyValues (line 121) | func ParseArbitraryKeyValues(input string, out map[string]string, sep st...
function ParseStringSlice (line 162) | func ParseStringSlice(input string, sep string) []string {
function ParseArbitraryStringSlice (line 188) | func ParseArbitraryStringSlice(input string, sep string) []string {
function TrimStrings (line 221) | func TrimStrings(items []string) []string {
function RemoveDuplicates (line 232) | func RemoveDuplicates(items []string, lowercase bool) []string {
function RemoveDuplicatesStable (line 256) | func RemoveDuplicatesStable(items []string, caseInsensitive bool) []stri...
function RemoveEmpty (line 279) | func RemoveEmpty(items []string) []string {
function EquivalentSlices (line 295) | func EquivalentSlices(a, b []string) bool {
function EqualStringMaps (line 343) | func EqualStringMaps(a, b map[string]string) bool {
function StrListDelete (line 360) | func StrListDelete(s []string, d string) []string {
function GlobbedStringsMatch (line 376) | func GlobbedStringsMatch(item, val string) bool {
function AppendIfMissing (line 396) | func AppendIfMissing(slice []string, i string) []string {
function MergeSlices (line 404) | func MergeSlices(args ...[]string) []string {
function Difference (line 423) | func Difference(a, b []string, lowercase bool) []string {
function GetString (line 464) | func GetString(m map[string]interface{}, key string) (string, error) {
function Printable (line 486) | func Printable(s string) bool {
function StringListToInterfaceList (line 494) | func StringListToInterfaceList(in []string) []interface{} {
function Reverse (line 503) | func Reverse(in string) string {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifaddr.go
function init (line 9) | func init() {
function GetPrivateIP (line 21) | func GetPrivateIP() (string, error) {
function GetPrivateIPs (line 43) | func GetPrivateIPs() (string, error) {
function GetPublicIP (line 90) | func GetPublicIP() (string, error) {
function GetPublicIPs (line 112) | func GetPublicIPs() (string, error) {
function GetInterfaceIP (line 151) | func GetInterfaceIP(namedIfRE string) (string, error) {
function GetInterfaceIPs (line 192) | func GetInterfaceIPs(namedIfRE string) (string, error) {
function IfAddrAttrs (line 223) | func IfAddrAttrs() []AttrName {
function IfAddrAttr (line 229) | func IfAddrAttr(ifAddr IfAddr, attrName AttrName) string {
function ifAddrAttrInit (line 239) | func ifAddrAttrInit() {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifaddrs.go
type IfAddrs (line 26) | type IfAddrs
method Len (line 28) | func (ifs IfAddrs) Len() int { return len(ifs) }
type CmpIfAddrFunc (line 32) | type CmpIfAddrFunc
type multiIfAddrSorter (line 35) | type multiIfAddrSorter struct
method Sort (line 42) | func (ms *multiIfAddrSorter) Sort(ifAddrs IfAddrs) {
method Len (line 55) | func (ms *multiIfAddrSorter) Len() int {
method Less (line 64) | func (ms *multiIfAddrSorter) Less(i, j int) bool {
method Swap (line 96) | func (ms *multiIfAddrSorter) Swap(i, j int) {
function OrderedIfAddrBy (line 48) | func OrderedIfAddrBy(cmpFuncs ...CmpIfAddrFunc) *multiIfAddrSorter {
function AscIfAddress (line 102) | func AscIfAddress(p1Ptr, p2Ptr *IfAddr) int {
function AscIfDefault (line 117) | func AscIfDefault(p1Ptr, p2Ptr *IfAddr) int {
function AscIfName (line 141) | func AscIfName(p1Ptr, p2Ptr *IfAddr) int {
function AscIfNetworkSize (line 147) | func AscIfNetworkSize(p1Ptr, p2Ptr *IfAddr) int {
function AscIfPort (line 153) | func AscIfPort(p1Ptr, p2Ptr *IfAddr) int {
function AscIfPrivate (line 161) | func AscIfPrivate(p1Ptr, p2Ptr *IfAddr) int {
function AscIfType (line 167) | func AscIfType(p1Ptr, p2Ptr *IfAddr) int {
function DescIfAddress (line 172) | func DescIfAddress(p1Ptr, p2Ptr *IfAddr) int {
function DescIfDefault (line 177) | func DescIfDefault(p1Ptr, p2Ptr *IfAddr) int {
function DescIfName (line 182) | func DescIfName(p1Ptr, p2Ptr *IfAddr) int {
function DescIfNetworkSize (line 187) | func DescIfNetworkSize(p1Ptr, p2Ptr *IfAddr) int {
function DescIfPort (line 192) | func DescIfPort(p1Ptr, p2Ptr *IfAddr) int {
function DescIfPrivate (line 197) | func DescIfPrivate(p1Ptr, p2Ptr *IfAddr) int {
function DescIfType (line 202) | func DescIfType(p1Ptr, p2Ptr *IfAddr) int {
function FilterIfByType (line 207) | func FilterIfByType(ifAddrs IfAddrs, type_ SockAddrType) (matchedIfs, ex...
function IfAttr (line 223) | func IfAttr(selectorName string, ifAddr IfAddr) (string, error) {
function IfAttrs (line 231) | func IfAttrs(selectorName string, ifAddrs IfAddrs) (string, error) {
function GetAllInterfaces (line 244) | func GetAllInterfaces() (IfAddrs, error) {
function GetDefaultInterfaces (line 277) | func GetDefaultInterfaces() (IfAddrs, error) {
function GetPrivateInterfaces (line 307) | func GetPrivateInterfaces() (IfAddrs, error) {
function GetPublicInterfaces (line 355) | func GetPublicInterfaces() (IfAddrs, error) {
function IfByAddress (line 397) | func IfByAddress(inputRe string, ifAddrs IfAddrs) (matched, remainder If...
function IfByName (line 418) | func IfByName(inputRe string, ifAddrs IfAddrs) (matched, remainder IfAdd...
function IfByPort (line 439) | func IfByPort(inputRe string, ifAddrs IfAddrs) (matchedIfs, excludedIfs ...
function IfByRFC (line 467) | func IfByRFC(selectorParam string, ifAddrs IfAddrs) (matched, remainder ...
function IfByRFCs (line 503) | func IfByRFCs(selectorParam string, ifAddrs IfAddrs) (matched, remainder...
function IfByMaskSize (line 519) | func IfByMaskSize(selectorParam string, ifAddrs IfAddrs) (matchedIfs, ex...
function IfByType (line 559) | func IfByType(inputTypes string, ifAddrs IfAddrs) (matched, remainder If...
function IfByFlag (line 606) | func IfByFlag(inputFlags string, ifAddrs IfAddrs) (matched, remainder If...
function IfByNetwork (line 706) | func IfByNetwork(selectorParam string, inputIfAddrs IfAddrs) (IfAddrs, I...
function IfAddrMath (line 727) | func IfAddrMath(operation, value string, inputIfAddr IfAddr) (IfAddr, er...
function IfAddrsMath (line 953) | func IfAddrsMath(operation, value string, inputIfAddrs IfAddrs) (IfAddrs...
function IncludeIfs (line 966) | func IncludeIfs(selectorName, selectorParam string, inputIfAddrs IfAddrs...
function ExcludeIfs (line 999) | func ExcludeIfs(selectorName, selectorParam string, inputIfAddrs IfAddrs...
function SortIfBy (line 1033) | func SortIfBy(selectorParam string, inputIfAddrs IfAddrs) (IfAddrs, erro...
function UniqueIfAddrsBy (line 1103) | func UniqueIfAddrsBy(selectorName string, inputIfAddrs IfAddrs) (IfAddrs...
function JoinIfAddrs (line 1132) | func JoinIfAddrs(selectorName string, joinStr string, inputIfAddrs IfAdd...
function LimitIfAddrs (line 1149) | func LimitIfAddrs(lim uint, in IfAddrs) (IfAddrs, error) {
function OffsetIfAddrs (line 1159) | func OffsetIfAddrs(off int, in IfAddrs) (IfAddrs, error) {
method String (line 1176) | func (ifAddr IfAddr) String() string {
function parseDefaultIfNameFromRoute (line 1182) | func parseDefaultIfNameFromRoute(routeOut string) (string, error) {
function parseDefaultIfNameFromIPCmd (line 1201) | func parseDefaultIfNameFromIPCmd(routeOut string) (string, error) {
function parseDefaultIfNameFromIPCmdAndroid (line 1217) | func parseDefaultIfNameFromIPCmdAndroid(routeOut string) (string, error) {
function parseIfNameFromIPCmd (line 1229) | func parseIfNameFromIPCmd(routeOut string) [][]string {
function parseDefaultIfNameWindows (line 1249) | func parseDefaultIfNameWindows(routeOut, ipconfigOut string) (string, er...
function parseDefaultIPAddrWindowsRoute (line 1274) | func parseDefaultIPAddrWindowsRoute(routeOut string) (string, error) {
function parseDefaultIfNameWindowsIPConfig (line 1298) | func parseDefaultIfNameWindowsIPConfig(defaultIPAddr, routeOut string) (...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ifattr.go
type IfAddr (line 9) | type IfAddr struct
method Attr (line 15) | func (ifAddr IfAddr) Attr(attrName AttrName) (string, error) {
function Attr (line 25) | func Attr(sa SockAddr, attrName AttrName) (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipaddr.go
constant IPv3len (line 12) | IPv3len = 6
constant IPv4len (line 13) | IPv4len = 4
constant IPv6len (line 14) | IPv6len = 16
type IPAddr (line 19) | type IPAddr interface
type IPPort (line 39) | type IPPort
type IPPrefixLen (line 43) | type IPPrefixLen
function init (line 49) | func init() {
function NewIPAddr (line 55) | func NewIPAddr(addr string) (IPAddr, error) {
function IPAddrAttr (line 71) | func IPAddrAttr(ip IPAddr, selector AttrName) string {
function IPAttrs (line 81) | func IPAttrs() []AttrName {
function MustIPAddr (line 87) | func MustIPAddr(addr string) IPAddr {
function ipAddrInit (line 96) | func ipAddrInit() {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipaddrs.go
type IPAddrs (line 5) | type IPAddrs
method Len (line 7) | func (s IPAddrs) Len() int { return len(s) }
method Swap (line 8) | func (s IPAddrs) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
type SortIPAddrsByNetworkSize (line 26) | type SortIPAddrsByNetworkSize struct
method Less (line 30) | func (s SortIPAddrsByNetworkSize) Less(i, j int) bool {
type SortIPAddrsBySpecificMaskLen (line 80) | type SortIPAddrsBySpecificMaskLen struct
method Less (line 84) | func (s SortIPAddrsBySpecificMaskLen) Less(i, j int) bool {
type SortIPAddrsByBroadMaskLen (line 92) | type SortIPAddrsByBroadMaskLen struct
method Less (line 96) | func (s SortIPAddrsByBroadMaskLen) Less(i, j int) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipv4addr.go
type IPv4Address (line 14) | type IPv4Address
type IPv4Network (line 17) | type IPv4Network
type IPv4Mask (line 20) | type IPv4Mask
constant IPv4HostMask (line 25) | IPv4HostMask = IPv4Mask(0xffffffff)
type IPv4Addr (line 36) | type IPv4Addr struct
method AddressBinString (line 136) | func (ipv4 IPv4Addr) AddressBinString() string {
method AddressHexString (line 143) | func (ipv4 IPv4Addr) AddressHexString() string {
method Broadcast (line 152) | func (ipv4 IPv4Addr) Broadcast() IPAddr {
method BroadcastAddress (line 162) | func (ipv4 IPv4Addr) BroadcastAddress() IPv4Network {
method CmpAddress (line 172) | func (ipv4 IPv4Addr) CmpAddress(sa SockAddr) int {
method CmpPort (line 194) | func (ipv4 IPv4Addr) CmpPort(sa SockAddr) int {
method CmpRFC (line 221) | func (ipv4 IPv4Addr) CmpRFC(rfcNum uint, sa SockAddr) int {
method Contains (line 251) | func (ipv4 IPv4Addr) Contains(sa SockAddr) bool {
method ContainsAddress (line 262) | func (ipv4 IPv4Addr) ContainsAddress(x IPv4Address) bool {
method ContainsNetwork (line 269) | func (ipv4 IPv4Addr) ContainsNetwork(x IPv4Addr) bool {
method DialPacketArgs (line 278) | func (ipv4 IPv4Addr) DialPacketArgs() (network, dialArgs string) {
method DialStreamArgs (line 289) | func (ipv4 IPv4Addr) DialStreamArgs() (network, dialArgs string) {
method Equal (line 297) | func (ipv4 IPv4Addr) Equal(sa SockAddr) bool {
method FirstUsable (line 325) | func (ipv4 IPv4Addr) FirstUsable() IPAddr {
method Host (line 343) | func (ipv4 IPv4Addr) Host() IPAddr {
method IPPort (line 353) | func (ipv4 IPv4Addr) IPPort() IPPort {
method LastUsable (line 359) | func (ipv4 IPv4Addr) LastUsable() IPAddr {
method ListenPacketArgs (line 377) | func (ipv4 IPv4Addr) ListenPacketArgs() (network, listenArgs string) {
method ListenStreamArgs (line 387) | func (ipv4 IPv4Addr) ListenStreamArgs() (network, listenArgs string) {
method Maskbits (line 396) | func (ipv4 IPv4Addr) Maskbits() int {
method NetIP (line 415) | func (ipv4 IPv4Addr) NetIP() *net.IP {
method NetIPMask (line 422) | func (ipv4 IPv4Addr) NetIPMask() *net.IPMask {
method NetIPNet (line 430) | func (ipv4 IPv4Addr) NetIPNet() *net.IPNet {
method Network (line 439) | func (ipv4 IPv4Addr) Network() IPAddr {
method NetworkAddress (line 447) | func (ipv4 IPv4Addr) NetworkAddress() IPv4Network {
method Octets (line 453) | func (ipv4 IPv4Addr) Octets() []int {
method String (line 463) | func (ipv4 IPv4Addr) String() string {
method Type (line 476) | func (IPv4Addr) Type() SockAddrType {
function init (line 43) | func init() {
function NewIPv4Addr (line 57) | func NewIPv4Addr(ipv4Str string) (IPv4Addr, error) {
function MustIPv4Addr (line 405) | func MustIPv4Addr(addr string) IPv4Addr {
function IPv4AddrAttr (line 482) | func IPv4AddrAttr(ipv4 IPv4Addr, selector AttrName) string {
function IPv4Attrs (line 492) | func IPv4Attrs() []AttrName {
function ipv4AddrInit (line 497) | func ipv4AddrInit() {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/ipv6addr.go
type IPv6Address (line 13) | type IPv6Address
type IPv6Network (line 16) | type IPv6Network
type IPv6Mask (line 19) | type IPv6Mask
constant IPv6HostPrefix (line 23) | IPv6HostPrefix = IPPrefixLen(128)
function init (line 33) | func init() {
type IPv6Addr (line 55) | type IPv6Addr struct
method AddressBinString (line 161) | func (ipv6 IPv6Addr) AddressBinString() string {
method AddressHexString (line 169) | func (ipv6 IPv6Addr) AddressHexString() string {
method CmpAddress (line 180) | func (ipv6 IPv6Addr) CmpAddress(sa SockAddr) int {
method CmpPort (line 200) | func (ipv6 IPv6Addr) CmpPort(sa SockAddr) int {
method CmpRFC (line 227) | func (ipv6 IPv6Addr) CmpRFC(rfcNum uint, sa SockAddr) int {
method Contains (line 256) | func (ipv6 IPv6Addr) Contains(sa SockAddr) bool {
method ContainsAddress (line 267) | func (ipv6 IPv6Addr) ContainsAddress(x IPv6Address) bool {
method ContainsNetwork (line 293) | func (x IPv6Addr) ContainsNetwork(y IPv6Addr) bool {
method DialPacketArgs (line 316) | func (ipv6 IPv6Addr) DialPacketArgs() (network, dialArgs string) {
method DialStreamArgs (line 328) | func (ipv6 IPv6Addr) DialStreamArgs() (network, dialArgs string) {
method Equal (line 337) | func (ipv6a IPv6Addr) Equal(sa SockAddr) bool {
method FirstUsable (line 365) | func (ipv6 IPv6Addr) FirstUsable() IPAddr {
method Host (line 375) | func (ipv6 IPv6Addr) Host() IPAddr {
method IPPort (line 385) | func (ipv6 IPv6Addr) IPPort() IPPort {
method LastUsable (line 390) | func (ipv6 IPv6Addr) LastUsable() IPAddr {
method ListenPacketArgs (line 413) | func (ipv6 IPv6Addr) ListenPacketArgs() (network, listenArgs string) {
method ListenStreamArgs (line 424) | func (ipv6 IPv6Addr) ListenStreamArgs() (network, listenArgs string) {
method Maskbits (line 434) | func (ipv6 IPv6Addr) Maskbits() int {
method NetIP (line 451) | func (ipv6 IPv6Addr) NetIP() *net.IP {
method NetIPMask (line 456) | func (ipv6 IPv6Addr) NetIPMask() *net.IPMask {
method NetIPNet (line 464) | func (ipv6 IPv6Addr) NetIPNet() *net.IPNet {
method Network (line 473) | func (ipv6 IPv6Addr) Network() IPAddr {
method NetworkAddress (line 481) | func (ipv6 IPv6Addr) NetworkAddress() IPv6Network {
method Octets (line 496) | func (ipv6 IPv6Addr) Octets() []int {
method String (line 506) | func (ipv6 IPv6Addr) String() string {
method Type (line 519) | func (IPv6Addr) Type() SockAddrType {
function NewIPv6Addr (line 71) | func NewIPv6Addr(ipv6Str string) (IPv6Addr, error) {
function MustIPv6Addr (line 442) | func MustIPv6Addr(addr string) IPv6Addr {
function IPv6Attrs (line 524) | func IPv6Attrs() []AttrName {
function IPv6AddrAttr (line 530) | func IPv6AddrAttr(ipv6 IPv6Addr, selector AttrName) string {
function ipv6AddrInit (line 540) | func ipv6AddrInit() {
function bigIntToNetIPv6 (line 562) | func bigIntToNetIPv6(bi *big.Int) *net.IP {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/rfc.go
constant ForwardingBlacklist (line 5) | ForwardingBlacklist = 4294967295
constant ForwardingBlacklistRFC (line 6) | ForwardingBlacklistRFC = "4294967295"
function IsRFC (line 9) | func IsRFC(rfcNum uint, sa SockAddr) bool {
function KnownRFCs (line 38) | func KnownRFCs() map[uint]SockAddrs {
function VisitAllRFCs (line 934) | func VisitAllRFCs(fn func(rfcNum uint, sockaddrs SockAddrs)) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info.go
type RouteInterface (line 12) | type RouteInterface interface
type routeInfo (line 19) | type routeInfo struct
method VisitCommands (line 25) | func (ri routeInfo) VisitCommands(fn func(name string, cmd []string)) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_aix.go
function NewRouteInfo (line 16) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 24) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_android.go
function NewRouteInfo (line 12) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 20) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_bsd.go
function NewRouteInfo (line 14) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 22) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_default.go
function getDefaultIfName (line 7) | func getDefaultIfName() (string, error) {
function NewRouteInfo (line 11) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 17) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_linux.go
function NewRouteInfo (line 13) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 28) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_solaris.go
function NewRouteInfo (line 16) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 24) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_test_windows.go
function Test_parseWindowsDefaultIfName_new_vs_old (line 5) | func Test_parseWindowsDefaultIfName_new_vs_old(t *testing.T) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/route_info_windows.go
function NewRouteInfo (line 18) | func NewRouteInfo() (routeInfo, error) {
method GetDefaultInterfaceName (line 26) | func (ri routeInfo) GetDefaultInterfaceName() (string, error) {
method GetDefaultInterfaceNameLegacy (line 43) | func (ri routeInfo) GetDefaultInterfaceNameLegacy() (string, error) {
function hasPowershell (line 62) | func hasPowershell() bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/sockaddr.go
type SockAddrType (line 9) | type SockAddrType
method String (line 143) | func (sat SockAddrType) String() string {
type AttrName (line 10) | type AttrName
constant TypeUnknown (line 13) | TypeUnknown SockAddrType = 0x0
constant TypeUnix (line 14) | TypeUnix = 0x1
constant TypeIPv4 (line 15) | TypeIPv4 = 0x2
constant TypeIPv6 (line 16) | TypeIPv6 = 0x4
constant TypeIP (line 19) | TypeIP = 0x6
type SockAddr (line 22) | type SockAddr interface
function init (line 51) | func init() {
function NewSockAddr (line 68) | func NewSockAddr(s string) (SockAddr, error) {
function ToIPAddr (line 92) | func ToIPAddr(sa SockAddr) *IPAddr {
function ToIPv4Addr (line 101) | func ToIPv4Addr(sa SockAddr) *IPv4Addr {
function ToIPv6Addr (line 111) | func ToIPv6Addr(sa SockAddr) *IPv6Addr {
function ToUnixSock (line 121) | func ToUnixSock(sa SockAddr) *UnixSock {
function SockAddrAttr (line 132) | func SockAddrAttr(sa SockAddr, selector AttrName) string {
function sockAddrInit (line 160) | func sockAddrInit() {
function SockAddrAttrs (line 177) | func SockAddrAttrs() []AttrName {
type SockAddrMarshaler (line 186) | type SockAddrMarshaler struct
method MarshalJSON (line 190) | func (s *SockAddrMarshaler) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 194) | func (s *SockAddrMarshaler) UnmarshalJSON(in []byte) error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/sockaddrs.go
type SockAddrs (line 9) | type SockAddrs
method Len (line 11) | func (s SockAddrs) Len() int { return len(s) }
method Swap (line 12) | func (s SockAddrs) Swap(i, j int) { s[i], s[j] = s[j], s[i] }
method FilterByType (line 181) | func (sas SockAddrs) FilterByType(type_ SockAddrType) (matched, exclud...
type CmpAddrFunc (line 16) | type CmpAddrFunc
type multiAddrSorter (line 19) | type multiAddrSorter struct
method Sort (line 26) | func (ms *multiAddrSorter) Sort(sockAddrs SockAddrs) {
method Len (line 39) | func (ms *multiAddrSorter) Len() int {
method Less (line 46) | func (ms *multiAddrSorter) Less(i, j int) bool {
method Swap (line 77) | func (ms *multiAddrSorter) Swap(i, j int) {
function OrderedAddrBy (line 32) | func OrderedAddrBy(cmpFuncs ...CmpAddrFunc) *multiAddrSorter {
constant sortReceiverBeforeArg (line 87) | sortReceiverBeforeArg = -1
constant sortDeferDecision (line 88) | sortDeferDecision = 0
constant sortArgBeforeReceiver (line 89) | sortArgBeforeReceiver = 1
function AscAddress (line 94) | func AscAddress(p1Ptr, p2Ptr *SockAddr) int {
function AscPort (line 112) | func AscPort(p1Ptr, p2Ptr *SockAddr) int {
function AscPrivate (line 130) | func AscPrivate(p1Ptr, p2Ptr *SockAddr) int {
function AscNetworkSize (line 144) | func AscNetworkSize(p1Ptr, p2Ptr *SockAddr) int {
function AscType (line 163) | func AscType(p1Ptr, p2Ptr *SockAddr) int {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/go-sockaddr/unixsock.go
type UnixSock (line 8) | type UnixSock struct
method Contains (line 31) | func (us UnixSock) Contains(sa SockAddr) bool {
method CmpAddress (line 45) | func (us UnixSock) CmpAddress(sa SockAddr) int {
method CmpRFC (line 55) | func (us UnixSock) CmpRFC(rfcNum uint, sa SockAddr) int { return sortD...
method DialPacketArgs (line 59) | func (us UnixSock) DialPacketArgs() (network, dialArgs string) {
method DialStreamArgs (line 65) | func (us UnixSock) DialStreamArgs() (network, dialArgs string) {
method Equal (line 70) | func (us UnixSock) Equal(sa SockAddr) bool {
method ListenPacketArgs (line 85) | func (us UnixSock) ListenPacketArgs() (network, dialArgs string) {
method ListenStreamArgs (line 91) | func (us UnixSock) ListenStreamArgs() (network, dialArgs string) {
method Path (line 106) | func (us UnixSock) Path() string {
method String (line 111) | func (us UnixSock) String() string {
method Type (line 116) | func (UnixSock) Type() SockAddrType {
type UnixSocks (line 12) | type UnixSocks
function init (line 18) | func init() {
function NewUnixSock (line 25) | func NewUnixSock(s string) (ret UnixSock, err error) {
function MustUnixSock (line 97) | func MustUnixSock(addr string) UnixSock {
function UnixSockAttrs (line 121) | func UnixSockAttrs() []AttrName {
function UnixSockAttr (line 127) | func UnixSockAttr(us UnixSock, attrName AttrName) string {
function unixAttrInit (line 137) | func unixAttrInit() {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/2q.go
constant Default2QRecentRatio (line 13) | Default2QRecentRatio = 0.25
constant Default2QGhostEntries (line 17) | Default2QGhostEntries = 0.50
type TwoQueueCache (line 29) | type TwoQueueCache struct
method Get (line 88) | func (c *TwoQueueCache) Get(key interface{}) (value interface{}, ok bo...
method Add (line 110) | func (c *TwoQueueCache) Add(key, value interface{}) {
method ensureSpace (line 144) | func (c *TwoQueueCache) ensureSpace(recentEvict bool) {
method Len (line 165) | func (c *TwoQueueCache) Len() int {
method Keys (line 173) | func (c *TwoQueueCache) Keys() []interface{} {
method Remove (line 182) | func (c *TwoQueueCache) Remove(key interface{}) {
method Purge (line 197) | func (c *TwoQueueCache) Purge() {
method Contains (line 207) | func (c *TwoQueueCache) Contains(key interface{}) bool {
method Peek (line 215) | func (c *TwoQueueCache) Peek(key interface{}) (value interface{}, ok b...
function New2Q (line 41) | func New2Q(size int) (*TwoQueueCache, error) {
function New2QParams (line 47) | func New2QParams(size int, recentRatio, ghostRatio float64) (*TwoQueueCa...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/arc.go
type ARCCache (line 17) | type ARCCache struct
method Get (line 63) | func (c *ARCCache) Get(key interface{}) (value interface{}, ok bool) {
method Add (line 85) | func (c *ARCCache) Add(key, value interface{}) {
method replace (line 180) | func (c *ARCCache) replace(b2ContainsKey bool) {
method Len (line 196) | func (c *ARCCache) Len() int {
method Keys (line 203) | func (c *ARCCache) Keys() []interface{} {
method Remove (line 212) | func (c *ARCCache) Remove(key interface{}) {
method Purge (line 230) | func (c *ARCCache) Purge() {
method Contains (line 241) | func (c *ARCCache) Contains(key interface{}) bool {
method Peek (line 249) | func (c *ARCCache) Peek(key interface{}) (value interface{}, ok bool) {
function NewARC (line 31) | func NewARC(size int) (*ARCCache, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/lru.go
constant DefaultEvictedBufferSize (line 11) | DefaultEvictedBufferSize = 16
type Cache (line 15) | type Cache struct
method initEvictBuffers (line 42) | func (c *Cache) initEvictBuffers() {
method onEvicted (line 49) | func (c *Cache) onEvicted(k, v interface{}) {
method Purge (line 55) | func (c *Cache) Purge() {
method Add (line 73) | func (c *Cache) Add(key, value interface{}) (evicted bool) {
method Get (line 89) | func (c *Cache) Get(key interface{}) (value interface{}, ok bool) {
method Contains (line 98) | func (c *Cache) Contains(key interface{}) bool {
method Peek (line 107) | func (c *Cache) Peek(key interface{}) (value interface{}, ok bool) {
method ContainsOrAdd (line 117) | func (c *Cache) ContainsOrAdd(key, value interface{}) (ok, evicted boo...
method PeekOrAdd (line 139) | func (c *Cache) PeekOrAdd(key, value interface{}) (previous interface{...
method Remove (line 160) | func (c *Cache) Remove(key interface{}) (present bool) {
method Resize (line 176) | func (c *Cache) Resize(size int) (evicted int) {
method RemoveOldest (line 194) | func (c *Cache) RemoveOldest() (key, value interface{}, ok bool) {
method GetOldest (line 210) | func (c *Cache) GetOldest() (key, value interface{}, ok bool) {
method Keys (line 218) | func (c *Cache) Keys() []interface{} {
method Len (line 226) | func (c *Cache) Len() int {
function New (line 23) | func New(size int) (*Cache, error) {
function NewWithEvict (line 29) | func NewWithEvict(size int, onEvicted func(key, value interface{})) (c *...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru.go
type EvictCallback (line 9) | type EvictCallback
type LRU (line 12) | type LRU struct
method Purge (line 40) | func (c *LRU) Purge() {
method Add (line 51) | func (c *LRU) Add(key, value interface{}) (evicted bool) {
method Get (line 73) | func (c *LRU) Get(key interface{}) (value interface{}, ok bool) {
method Contains (line 86) | func (c *LRU) Contains(key interface{}) (ok bool) {
method Peek (line 93) | func (c *LRU) Peek(key interface{}) (value interface{}, ok bool) {
method Remove (line 103) | func (c *LRU) Remove(key interface{}) (present bool) {
method RemoveOldest (line 112) | func (c *LRU) RemoveOldest() (key, value interface{}, ok bool) {
method GetOldest (line 123) | func (c *LRU) GetOldest() (key, value interface{}, ok bool) {
method Keys (line 133) | func (c *LRU) Keys() []interface{} {
method Len (line 144) | func (c *LRU) Len() int {
method Resize (line 149) | func (c *LRU) Resize(size int) (evicted int) {
method removeOldest (line 162) | func (c *LRU) removeOldest() {
method removeElement (line 170) | func (c *LRU) removeElement(e *list.Element) {
type entry (line 20) | type entry struct
function NewLRU (line 26) | func NewLRU(size int, onEvict EvictCallback) (*LRU, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/simplelru/lru_interface.go
type LRUCache (line 5) | type LRUCache interface
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/golang-lru/testing.go
function getRand (line 10) | func getRand(tb testing.TB) int64 {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/decoder.go
constant tagName (line 17) | tagName = "hcl"
function Unmarshal (line 26) | func Unmarshal(bs []byte, v interface{}) error {
function UnmarshalErrorOnDuplicates (line 37) | func UnmarshalErrorOnDuplicates(bs []byte, v interface{}) error {
function Decode (line 48) | func Decode(out interface{}, in string) error {
function DecodeErrorOnDuplicates (line 54) | func DecodeErrorOnDuplicates(out interface{}, in string) error {
function decode (line 60) | func decode(out interface{}, in string, errorOnDuplicateAtributes bool) ...
function DecodeObject (line 71) | func DecodeObject(out interface{}, n ast.Node) error {
type decoder (line 86) | type decoder struct
method decode (line 90) | func (d *decoder) decode(name string, node ast.Node, result reflect.Va...
method decodeBool (line 140) | func (d *decoder) decodeBool(name string, node ast.Node, result reflec...
method decodeFloat (line 160) | func (d *decoder) decodeFloat(name string, node ast.Node, result refle...
method decodeInt (line 180) | func (d *decoder) decodeInt(name string, node ast.Node, result reflect...
method decodeInterface (line 217) | func (d *decoder) decodeInterface(name string, node ast.Node, result r...
method decodeMap (line 323) | func (d *decoder) decodeMap(name string, node ast.Node, result reflect...
method decodePtr (line 423) | func (d *decoder) decodePtr(name string, node ast.Node, result reflect...
method decodeSlice (line 442) | func (d *decoder) decodeSlice(name string, node ast.Node, result refle...
method decodeString (line 551) | func (d *decoder) decodeString(name string, node ast.Node, result refl...
method decodeStruct (line 570) | func (d *decoder) decodeStruct(name string, node ast.Node, result refl...
function expandObject (line 502) | func expandObject(node ast.Node, result reflect.Value) ast.Node {
function findNodeType (line 778) | func findNodeType() reflect.Type {
function removeCaseFold (line 786) | func removeCaseFold(xs map[string][]token.Pos, y string) map[string][]to...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/ast/ast.go
type Node (line 13) | type Node interface
type File (line 31) | type File struct
method node (line 18) | func (File) node() {}
method Pos (line 36) | func (f *File) Pos() token.Pos {
type ObjectList (line 42) | type ObjectList struct
method node (line 19) | func (ObjectList) node() {}
method Add (line 46) | func (o *ObjectList) Add(item *ObjectItem) {
method Filter (line 57) | func (o *ObjectList) Filter(keys ...string) *ObjectList {
method Children (line 88) | func (o *ObjectList) Children() *ObjectList {
method Elem (line 101) | func (o *ObjectList) Elem() *ObjectList {
method Pos (line 112) | func (o *ObjectList) Pos() token.Pos {
method GoString (line 226) | func (o *ObjectList) GoString() string { return fmt.Sprintf("*%#v", *o) }
type ObjectItem (line 124) | type ObjectItem struct
method node (line 21) | func (ObjectItem) node() {}
method Pos (line 142) | func (o *ObjectItem) Pos() token.Pos {
type ObjectKey (line 153) | type ObjectKey struct
method node (line 20) | func (ObjectKey) node() {}
method Pos (line 157) | func (o *ObjectKey) Pos() token.Pos {
method GoString (line 225) | func (o *ObjectKey) GoString() string { return fmt.Sprintf("*%#v", *o) }
type LiteralType (line 163) | type LiteralType struct
method node (line 25) | func (LiteralType) node() {}
method Pos (line 171) | func (l *LiteralType) Pos() token.Pos {
type ListType (line 176) | type ListType struct
method node (line 26) | func (ListType) node() {}
method Pos (line 182) | func (l *ListType) Pos() token.Pos {
method Add (line 186) | func (l *ListType) Add(node Node) {
type ObjectType (line 191) | type ObjectType struct
method node (line 24) | func (ObjectType) node() {}
method Pos (line 197) | func (o *ObjectType) Pos() token.Pos {
type Comment (line 202) | type Comment struct
method node (line 22) | func (Comment) node() {}
method Pos (line 207) | func (c *Comment) Pos() token.Pos {
type CommentGroup (line 213) | type CommentGroup struct
method node (line 23) | func (CommentGroup) node() {}
method Pos (line 217) | func (c *CommentGroup) Pos() token.Pos {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/ast/walk.go
type WalkFunc (line 8) | type WalkFunc
function Walk (line 14) | func Walk(node Node, fn WalkFunc) Node {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/parser/error.go
type PosError (line 10) | type PosError struct
method Error (line 15) | func (e *PosError) Error() string {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/parser/parser.go
type Parser (line 16) | type Parser struct
method Parse (line 65) | func (p *Parser) Parse() (*ast.File, error) {
method objectList (line 89) | func (p *Parser) objectList(obj bool) (*ast.ObjectList, error) {
method consumeComment (line 144) | func (p *Parser) consumeComment() (comment *ast.Comment, endline int) {
method consumeCommentGroup (line 162) | func (p *Parser) consumeCommentGroup(n int) (comments *ast.CommentGrou...
method objectItem (line 180) | func (p *Parser) objectItem() (*ast.ObjectItem, error) {
method objectKey (line 258) | func (p *Parser) objectKey() ([]*ast.ObjectKey, error) {
method object (line 322) | func (p *Parser) object() (ast.Node, error) {
method objectType (line 346) | func (p *Parser) objectType() (*ast.ObjectType, error) {
method listType (line 378) | func (p *Parser) listType() (*ast.ListType, error) {
method literalType (line 469) | func (p *Parser) literalType() (*ast.LiteralType, error) {
method scan (line 480) | func (p *Parser) scan() token.Token {
method unscan (line 532) | func (p *Parser) unscan() {
method printTrace (line 539) | func (p *Parser) printTrace(a ...interface{}) {
function newParser (line 34) | func newParser(src []byte, errorOnDuplicateKeys bool) *Parser {
function Parse (line 42) | func Parse(src []byte) (*ast.File, error) {
function ParseDontErrorOnDuplicateKeys (line 47) | func ParseDontErrorOnDuplicateKeys(src []byte) (*ast.File, error) {
function parse (line 52) | func parse(src []byte, errorOnDuplicateKeys bool) (*ast.File, error) {
function trace (line 558) | func trace(p *Parser, msg string) *Parser {
function un (line 565) | func un(p *Parser) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/scanner/scanner.go
constant eof (line 17) | eof = rune(0)
type Scanner (line 20) | type Scanner struct
method next (line 67) | func (s *Scanner) next() rune {
method unread (line 111) | func (s *Scanner) unread() {
method peek (line 119) | func (s *Scanner) peek() rune {
method Scan (line 130) | func (s *Scanner) Scan() token.Token {
method scanComment (line 231) | func (s *Scanner) scanComment(ch rune) {
method scanNumber (line 272) | func (s *Scanner) scanNumber(ch rune) token.Type {
method scanMantissa (line 357) | func (s *Scanner) scanMantissa(ch rune) rune {
method scanFraction (line 371) | func (s *Scanner) scanFraction(ch rune) rune {
method scanExponent (line 381) | func (s *Scanner) scanExponent(ch rune) rune {
method scanHeredoc (line 393) | func (s *Scanner) scanHeredoc() {
method scanString (line 477) | func (s *Scanner) scanString() {
method scanEscape (line 513) | func (s *Scanner) scanEscape() rune {
method scanDigits (line 539) | func (s *Scanner) scanDigits(ch rune, base, n int) rune {
method scanIdentifier (line 565) | func (s *Scanner) scanIdentifier() string {
method recentPosition (line 581) | func (s *Scanner) recentPosition() (pos token.Pos) {
method err (line 604) | func (s *Scanner) err(msg string) {
function New (line 50) | func New(src []byte) *Scanner {
function isLetter (line 617) | func isLetter(ch rune) bool {
function isDigit (line 622) | func isDigit(ch rune) bool {
function isDecimal (line 627) | func isDecimal(ch rune) bool {
function isHexadecimal (line 632) | func isHexadecimal(ch rune) bool {
function isWhitespace (line 637) | func isWhitespace(ch rune) bool {
function digitVal (line 642) | func digitVal(ch rune) int {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/strconv/quote.go
function Unquote (line 16) | func Unquote(s string) (t string, err error) {
function contains (line 114) | func contains(s string, c byte) bool {
function unhex (line 123) | func unhex(b byte) (v rune, ok bool) {
function unquoteChar (line 136) | func unquoteChar(s string, quote byte) (value rune, multibyte bool, tail...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/token/position.go
type Pos (line 8) | type Pos struct
method IsValid (line 16) | func (p *Pos) IsValid() bool { return p.Line > 0 }
method String (line 24) | func (p Pos) String() string {
method Before (line 39) | func (p Pos) Before(u Pos) bool {
method After (line 44) | func (p Pos) After(u Pos) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/token/token.go
type Token (line 14) | type Token struct
method String (line 109) | func (t Token) String() string {
method Value (line 118) | func (t Token) Value() interface{} {
type Type (line 22) | type Type
method String (line 83) | func (t Type) String() string {
method IsIdentifier (line 96) | func (t Type) IsIdentifier() bool { return identifier_beg < t && t < i...
method IsLiteral (line 100) | func (t Type) IsLiteral() bool { return literal_beg < t && t < literal...
method IsOperator (line 104) | func (t Type) IsOperator() bool { return operator_beg < t && t < opera...
constant ILLEGAL (line 26) | ILLEGAL Type = iota
constant EOF (line 27) | EOF
constant COMMENT (line 28) | COMMENT
constant identifier_beg (line 30) | identifier_beg
constant IDENT (line 31) | IDENT
constant literal_beg (line 32) | literal_beg
constant NUMBER (line 33) | NUMBER
constant FLOAT (line 34) | FLOAT
constant BOOL (line 35) | BOOL
constant STRING (line 36) | STRING
constant HEREDOC (line 37) | HEREDOC
constant literal_end (line 38) | literal_end
constant identifier_end (line 39) | identifier_end
constant operator_beg (line 41) | operator_beg
constant LBRACK (line 42) | LBRACK
constant LBRACE (line 43) | LBRACE
constant COMMA (line 44) | COMMA
constant PERIOD (line 45) | PERIOD
constant RBRACK (line 47) | RBRACK
constant RBRACE (line 48) | RBRACE
constant ASSIGN (line 50) | ASSIGN
constant ADD (line 51) | ADD
constant SUB (line 52) | SUB
constant operator_end (line 53) | operator_end
function unindentHeredoc (line 174) | func unindentHeredoc(heredoc string) string {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/parser/flatten.go
function flattenObjects (line 6) | func flattenObjects(node ast.Node) {
function flattenListType (line 46) | func flattenListType(
function flattenObjectType (line 80) | func flattenObjectType(
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/parser/parser.go
type Parser (line 13) | type Parser struct
method Parse (line 40) | func (p *Parser) Parse() (*ast.File, error) {
method objectList (line 66) | func (p *Parser) objectList() (*ast.ObjectList, error) {
method objectItem (line 94) | func (p *Parser) objectItem() (*ast.ObjectItem, error) {
method objectKey (line 126) | func (p *Parser) objectKey() ([]*ast.ObjectKey, error) {
method objectValue (line 159) | func (p *Parser) objectValue() (ast.Node, error) {
method object (line 179) | func (p *Parser) object() (*ast.ObjectType, error) {
method objectType (line 194) | func (p *Parser) objectType() (*ast.ObjectType, error) {
method listType (line 213) | func (p *Parser) listType() (*ast.ListType, error) {
method literalType (line 255) | func (p *Parser) literalType() (*ast.LiteralType, error) {
method scan (line 265) | func (p *Parser) scan() token.Token {
method unscan (line 277) | func (p *Parser) unscan() {
method printTrace (line 284) | func (p *Parser) printTrace(a ...interface{}) {
function newParser (line 25) | func newParser(src []byte) *Parser {
function Parse (line 32) | func Parse(src []byte) (*ast.File, error) {
function trace (line 303) | func trace(p *Parser, msg string) *Parser {
function un (line 310) | func un(p *Parser) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/scanner/scanner.go
constant eof (line 14) | eof = rune(0)
type Scanner (line 17) | type Scanner struct
method next (line 64) | func (s *Scanner) next() rune {
method unread (line 101) | func (s *Scanner) unread() {
method peek (line 109) | func (s *Scanner) peek() rune {
method Scan (line 120) | func (s *Scanner) Scan() token.Token {
method scanNumber (line 217) | func (s *Scanner) scanNumber(ch rune) token.Type {
method scanMantissa (line 251) | func (s *Scanner) scanMantissa(ch rune) rune {
method scanFraction (line 265) | func (s *Scanner) scanFraction(ch rune) rune {
method scanExponent (line 275) | func (s *Scanner) scanExponent(ch rune) rune {
method scanString (line 287) | func (s *Scanner) scanString() {
method scanEscape (line 323) | func (s *Scanner) scanEscape() rune {
method scanDigits (line 349) | func (s *Scanner) scanDigits(ch rune, base, n int) rune {
method scanIdentifier (line 364) | func (s *Scanner) scanIdentifier() string {
method recentPosition (line 380) | func (s *Scanner) recentPosition() (pos token.Pos) {
method err (line 403) | func (s *Scanner) err(msg string) {
function New (line 47) | func New(src []byte) *Scanner {
function isLetter (line 416) | func isLetter(ch rune) bool {
function isDigit (line 421) | func isDigit(ch rune) bool {
function isDecimal (line 426) | func isDecimal(ch rune) bool {
function isHexadecimal (line 431) | func isHexadecimal(ch rune) bool {
function isWhitespace (line 436) | func isWhitespace(ch rune) bool {
function digitVal (line 441) | func digitVal(ch rune) int {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/token/position.go
type Pos (line 8) | type Pos struct
method IsValid (line 16) | func (p *Pos) IsValid() bool { return p.Line > 0 }
method String (line 24) | func (p Pos) String() string {
method Before (line 39) | func (p Pos) Before(u Pos) bool {
method After (line 44) | func (p Pos) After(u Pos) bool {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/json/token/token.go
type Token (line 11) | type Token struct
method String (line 96) | func (t Token) String() string {
method HCLToken (line 103) | func (t Token) HCLToken() hcltoken.Token {
type Type (line 18) | type Type
method String (line 70) | func (t Type) String() string {
method IsIdentifier (line 83) | func (t Type) IsIdentifier() bool { return identifier_beg < t && t < i...
method IsLiteral (line 87) | func (t Type) IsLiteral() bool { return literal_beg < t && t < literal...
method IsOperator (line 91) | func (t Type) IsOperator() bool { return operator_beg < t && t < opera...
constant ILLEGAL (line 22) | ILLEGAL Type = iota
constant EOF (line 23) | EOF
constant identifier_beg (line 25) | identifier_beg
constant literal_beg (line 26) | literal_beg
constant NUMBER (line 27) | NUMBER
constant FLOAT (line 28) | FLOAT
constant BOOL (line 29) | BOOL
constant STRING (line 30) | STRING
constant NULL (line 31) | NULL
constant literal_end (line 32) | literal_end
constant identifier_end (line 33) | identifier_end
constant operator_beg (line 35) | operator_beg
constant LBRACK (line 36) | LBRACK
constant LBRACE (line 37) | LBRACE
constant COMMA (line 38) | COMMA
constant PERIOD (line 39) | PERIOD
constant COLON (line 40) | COLON
constant RBRACK (line 42) | RBRACK
constant RBRACE (line 43) | RBRACE
constant operator_end (line 45) | operator_end
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/lex.go
type lexModeValue (line 8) | type lexModeValue
constant lexModeUnknown (line 11) | lexModeUnknown lexModeValue = iota
constant lexModeHcl (line 12) | lexModeHcl
constant lexModeJson (line 13) | lexModeJson
function lexMode (line 18) | func lexMode(v []byte) lexModeValue {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/hcl/parse.go
function ParseBytes (line 14) | func ParseBytes(in []byte) (*ast.File, error) {
function ParseString (line 19) | func ParseString(input string) (*ast.File, error) {
function parse (line 23) | func parse(in []byte, errorOnDuplicateKeys bool) (*ast.File, error) {
function Parse (line 40) | func Parse(input string) (*ast.File, error) {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/auth.go
type Auth (line 12) | type Auth struct
method Login (line 33) | func (a *Auth) Login(ctx context.Context, authMethod AuthMethod) (*Sec...
method MFALogin (line 48) | func (a *Auth) MFALogin(ctx context.Context, authMethod AuthMethod, cr...
method MFAValidate (line 64) | func (a *Auth) MFAValidate(ctx context.Context, mfaSecret *Secret, pay...
method login (line 78) | func (a *Auth) login(ctx context.Context, authMethod AuthMethod) (*Sec...
method twoPhaseMFALogin (line 89) | func (a *Auth) twoPhaseMFALogin(ctx context.Context, authMethod AuthMe...
method checkAndSetToken (line 104) | func (a *Auth) checkAndSetToken(s *Secret) (*Secret, error) {
type AuthMethod (line 16) | type AuthMethod interface
method Auth (line 21) | func (c *Client) Auth() *Auth {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/auth_token.go
type TokenAuth (line 12) | type TokenAuth struct
method Create (line 21) | func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {
method CreateWithContext (line 25) | func (c *TokenAuth) CreateWithContext(ctx context.Context, opts *Token...
method CreateOrphan (line 43) | func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, e...
method CreateOrphanWithContext (line 47) | func (c *TokenAuth) CreateOrphanWithContext(ctx context.Context, opts ...
method CreateWithRole (line 65) | func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName ...
method CreateWithRoleWithContext (line 69) | func (c *TokenAuth) CreateWithRoleWithContext(ctx context.Context, opt...
method Lookup (line 87) | func (c *TokenAuth) Lookup(token string) (*Secret, error) {
method LookupWithContext (line 91) | func (c *TokenAuth) LookupWithContext(ctx context.Context, token strin...
method LookupAccessor (line 111) | func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {
method LookupAccessorWithContext (line 115) | func (c *TokenAuth) LookupAccessorWithContext(ctx context.Context, acc...
method LookupSelf (line 135) | func (c *TokenAuth) LookupSelf() (*Secret, error) {
method LookupSelfWithContext (line 139) | func (c *TokenAuth) LookupSelfWithContext(ctx context.Context) (*Secre...
method RenewAccessor (line 154) | func (c *TokenAuth) RenewAccessor(accessor string, increment int) (*Se...
method RenewAccessorWithContext (line 158) | func (c *TokenAuth) RenewAccessorWithContext(ctx context.Context, acce...
method Renew (line 179) | func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
method RenewWithContext (line 183) | func (c *TokenAuth) RenewWithContext(ctx context.Context, token string...
method RenewSelf (line 204) | func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
method RenewSelfWithContext (line 208) | func (c *TokenAuth) RenewSelfWithContext(ctx context.Context, incremen...
method RenewTokenAsSelf (line 229) | func (c *TokenAuth) RenewTokenAsSelf(token string, increment int) (*Se...
method RenewTokenAsSelfWithContext (line 235) | func (c *TokenAuth) RenewTokenAsSelfWithContext(ctx context.Context, t...
method RevokeAccessor (line 257) | func (c *TokenAuth) RevokeAccessor(accessor string) error {
method RevokeAccessorWithContext (line 263) | func (c *TokenAuth) RevokeAccessorWithContext(ctx context.Context, acc...
method RevokeOrphan (line 284) | func (c *TokenAuth) RevokeOrphan(token string) error {
method RevokeOrphanWithContext (line 290) | func (c *TokenAuth) RevokeOrphanWithContext(ctx context.Context, token...
method RevokeSelf (line 311) | func (c *TokenAuth) RevokeSelf(token string) error {
method RevokeSelfWithContext (line 318) | func (c *TokenAuth) RevokeSelfWithContext(ctx context.Context, token s...
method RevokeTree (line 334) | func (c *TokenAuth) RevokeTree(token string) error {
method RevokeTreeWithContext (line 341) | func (c *TokenAuth) RevokeTreeWithContext(ctx context.Context, token s...
method Token (line 17) | func (a *Auth) Token() *TokenAuth {
type TokenCreateRequest (line 362) | type TokenCreateRequest struct
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/cliconfig/config.go
constant defaultConfigPath (line 18) | defaultConfigPath = "~/.vault"
constant configPathEnv (line 22) | configPathEnv = "VAULT_CONFIG_PATH"
type defaultConfig (line 27) | type defaultConfig struct
function loadConfig (line 38) | func loadConfig(path string) (config *defaultConfig, duplicate bool, err...
function parseConfig (line 66) | func parseConfig(contents string) (config *defaultConfig, duplicate bool...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/cliconfig/hcl_dup_attr_deprecation.go
constant allowHclDuplicatesEnvVar (line 19) | allowHclDuplicatesEnvVar = "VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_AT...
function parseAndCheckForDuplicateHclAttributes (line 26) | func parseAndCheckForDuplicateHclAttributes(input string) (res *ast.File...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/cliconfig/util.go
function DefaultTokenHelper (line 12) | func DefaultTokenHelper() (tokenhelper.TokenHelper, error) {
function DefaultTokenHelperCheckDuplicates (line 19) | func DefaultTokenHelperCheckDuplicates() (helper tokenhelper.TokenHelper...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/client.go
constant EnvVaultAddress (line 37) | EnvVaultAddress = "VAULT_ADDR"
constant EnvVaultAgentAddr (line 38) | EnvVaultAgentAddr = "VAULT_AGENT_ADDR"
constant EnvVaultCACert (line 39) | EnvVaultCACert = "VAULT_CACERT"
constant EnvVaultCACertBytes (line 40) | EnvVaultCACertBytes = "VAULT_CACERT_BYTES"
constant EnvVaultCAPath (line 41) | EnvVaultCAPath = "VAULT_CAPATH"
constant EnvVaultClientCert (line 42) | EnvVaultClientCert = "VAULT_CLIENT_CERT"
constant EnvVaultClientKey (line 43) | EnvVaultClientKey = "VAULT_CLIENT_KEY"
constant EnvVaultClientTimeout (line 44) | EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
constant EnvVaultHeaders (line 45) | EnvVaultHeaders = "VAULT_HEADERS"
constant EnvVaultSRVLookup (line 46) | EnvVaultSRVLookup = "VAULT_SRV_LOOKUP"
constant EnvVaultSkipVerify (line 47) | EnvVaultSkipVerify = "VAULT_SKIP_VERIFY"
constant EnvVaultNamespace (line 48) | EnvVaultNamespace = "VAULT_NAMESPACE"
constant EnvVaultTLSServerName (line 49) | EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
constant EnvVaultWrapTTL (line 50) | EnvVaultWrapTTL = "VAULT_WRAP_TTL"
constant EnvVaultMaxRetries (line 51) | EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
constant EnvVaultToken (line 52) | EnvVaultToken = "VAULT_TOKEN"
constant EnvVaultMFA (line 53) | EnvVaultMFA = "VAULT_MFA"
constant EnvRateLimit (line 54) | EnvRateLimit = "VAULT_RATE_LIMIT"
constant EnvHTTPProxy (line 55) | EnvHTTPProxy = "VAULT_HTTP_PROXY"
constant EnvVaultProxyAddr (line 56) | EnvVaultProxyAddr = "VAULT_PROXY_ADDR"
constant EnvVaultDisableRedirects (line 57) | EnvVaultDisableRedirects = "VAULT_DISABLE_REDIRECTS"
constant HeaderIndex (line 58) | HeaderIndex = "X-Vault-Index"
constant HeaderForward (line 59) | HeaderForward = "X-Vault-Forward"
constant HeaderInconsistent (line 60) | HeaderInconsistent = "X-Vault-Inconsistent"
constant NamespaceHeaderName (line 64) | NamespaceHeaderName = "X-Vault-Namespace"
constant AuthHeaderName (line 67) | AuthHeaderName = "X-Vault-Token"
constant RequestHeaderName (line 71) | RequestHeaderName = "X-Vault-Request"
constant SnapshotHeaderName (line 73) | SnapshotHeaderName = "X-Vault-Recover-Snapshot-Id"
constant RecoverSourcePathHeaderName (line 74) | RecoverSourcePathHeaderName = "X-Vault-Recover-Source-Path"
constant TLSErrorString (line 76) | TLSErrorString = "This error usually means that the server is running wi...
constant EnvVaultAgentAddress (line 88) | EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
constant EnvVaultInsecure (line 89) | EnvVaultInsecure = "VAULT_SKIP_VERIFY"
constant DefaultAddress (line 91) | DefaultAddress = "https://127.0.0.1:8200"
type WrappingLookupFunc (line 100) | type WrappingLookupFunc
type Config (line 103) | type Config struct
method configureTLS (line 299) | func (c *Config) configureTLS(t *TLSConfig) error {
method TLSConfig (line 363) | func (c *Config) TLSConfig() *tls.Config {
method ConfigureTLS (line 371) | func (c *Config) ConfigureTLS(t *TLSConfig) error {
method ReadEnvironment (line 380) | func (c *Config) ReadEnvironment() error {
method ParseAddress (line 532) | func (c *Config) ParseAddress(address string) (*url.URL, error) {
type TLSConfig (line 221) | type TLSConfig struct
function DefaultConfig (line 256) | func DefaultConfig() *Config {
function parseRateLimit (line 574) | func parseRateLimit(val string) (rate float64, burst int, err error) {
type Client (line 588) | type Client struct
method CloneConfig (line 700) | func (c *Client) CloneConfig() *Config {
method SetAddress (line 731) | func (c *Client) SetAddress(addr string) error {
method Address (line 745) | func (c *Client) Address() string {
method SetCheckRedirect (line 752) | func (c *Client) SetCheckRedirect(f func(*http.Request, []*http.Reques...
method SetLimiter (line 765) | func (c *Client) SetLimiter(rateLimit float64, burst int) {
method Limiter (line 774) | func (c *Client) Limiter() *rate.Limiter {
method SetMinRetryWait (line 784) | func (c *Client) SetMinRetryWait(retryWait time.Duration) {
method MinRetryWait (line 793) | func (c *Client) MinRetryWait() time.Duration {
method SetMaxRetryWait (line 803) | func (c *Client) SetMaxRetryWait(retryWait time.Duration) {
method MaxRetryWait (line 812) | func (c *Client) MaxRetryWait() time.Duration {
method SetMaxRetries (line 822) | func (c *Client) SetMaxRetries(retries int) {
method SetMaxIdleConnections (line 831) | func (c *Client) SetMaxIdleConnections(idle int) {
method MaxIdleConnections (line 840) | func (c *Client) MaxIdleConnections() int {
method SetDisableKeepAlives (line 849) | func (c *Client) SetDisableKeepAlives(disable bool) {
method DisableKeepAlives (line 858) | func (c *Client) DisableKeepAlives() bool {
method MaxRetries (line 867) | func (c *Client) MaxRetries() int {
method SetSRVLookup (line 876) | func (c *Client) SetSRVLookup(srv bool) {
method SRVLookup (line 885) | func (c *Client) SRVLookup() bool {
method SetCheckRetry (line 895) | func (c *Client) SetCheckRetry(checkRetry retryablehttp.CheckRetry) {
method CheckRetry (line 904) | func (c *Client) CheckRetry() retryablehttp.CheckRetry {
method SetClientTimeout (line 914) | func (c *Client) SetClientTimeout(timeout time.Duration) {
method ClientTimeout (line 923) | func (c *Client) ClientTimeout() time.Duration {
method OutputCurlString (line 932) | func (c *Client) OutputCurlString() bool {
method SetOutputCurlString (line 941) | func (c *Client) SetOutputCurlString(curl bool) {
method OutputPolicy (line 950) | func (c *Client) OutputPolicy() bool {
method SetOutputPolicy (line 959) | func (c *Client) SetOutputPolicy(isSet bool) {
method CurrentWrappingLookupFunc (line 970) | func (c *Client) CurrentWrappingLookupFunc() WrappingLookupFunc {
method SetWrappingLookupFunc (line 978) | func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc) {
method SetMFACreds (line 986) | func (c *Client) SetMFACreds(creds []string) {
method SetNamespace (line 994) | func (c *Client) SetNamespace(namespace string) {
method setNamespace (line 1000) | func (c *Client) setNamespace(namespace string) {
method ClearNamespace (line 1009) | func (c *Client) ClearNamespace() {
method Namespace (line 1019) | func (c *Client) Namespace() string {
method WithNamespace (line 1031) | func (c *Client) WithNamespace(namespace string) *Client {
method Token (line 1047) | func (c *Client) Token() string {
method SetToken (line 1055) | func (c *Client) SetToken(v string) {
method HCPCookie (line 1063) | func (c *Client) HCPCookie() string {
method SetHCPCookie (line 1075) | func (c *Client) SetHCPCookie(v *http.Cookie) error {
method ClearToken (line 1089) | func (c *Client) ClearToken() {
method Headers (line 1097) | func (c *Client) Headers() http.Header {
method headersInternal (line 1105) | func (c *Client) headersInternal() http.Header {
method AddHeader (line 1122) | func (c *Client) AddHeader(key, value string) {
method SetHeaders (line 1130) | func (c *Client) SetHeaders(headers http.Header) {
method SetBackoff (line 1137) | func (c *Client) SetBackoff(backoff retryablehttp.Backoff) {
method SetLogger (line 1146) | func (c *Client) SetLogger(logger retryablehttp.LeveledLogger) {
method SetCloneHeaders (line 1156) | func (c *Client) SetCloneHeaders(cloneHeaders bool) {
method CloneHeaders (line 1166) | func (c *Client) CloneHeaders() bool {
method SetCloneToken (line 1176) | func (c *Client) SetCloneToken(cloneToken bool) {
method CloneToken (line 1186) | func (c *Client) CloneToken() bool {
method SetReadYourWrites (line 1196) | func (c *Client) SetReadYourWrites(preventStaleReads bool) {
method ReadYourWrites (line 1214) | func (c *Client) ReadYourWrites() bool {
method SetCloneTLSConfig (line 1224) | func (c *Client) SetCloneTLSConfig(clone bool) {
method CloneTLSConfig (line 1234) | func (c *Client) CloneTLSConfig() bool {
method Clone (line 1252) | func (c *Client) Clone() (*Client, error) {
method CloneWithHeaders (line 1262) | func (c *Client) CloneWithHeaders() (*Client, error) {
method clone (line 1273) | func (c *Client) clone(cloneHeaders bool) (*Client, error) {
method SetPolicyOverride (line 1319) | func (c *Client) SetPolicyOverride(override bool) {
method NewRequest (line 1328) | func (c *Client) NewRequest(method, requestPath string) *Request {
method RawRequest (line 1395) | func (c *Client) RawRequest(r *Request) (*Response, error) {
method RawRequestWithContext (line 1406) | func (c *Client) RawRequestWithContext(ctx context.Context, r *Request...
method rawRequestWithContext (line 1415) | func (c *Client) rawRequestWithContext(ctx context.Context, r *Request...
method httpRequestWithContext (line 1578) | func (c *Client) httpRequestWithContext(ctx context.Context, r *Reques...
method WithRequestCallbacks (line 1710) | func (c *Client) WithRequestCallbacks(callbacks ...RequestCallback) *C...
method WithResponseCallbacks (line 1722) | func (c *Client) WithResponseCallbacks(callbacks ...ResponseCallback) ...
method withConfiguredTimeout (line 1730) | func (c *Client) withConfiguredTimeout(ctx context.Context) (context.C...
function NewClient (line 611) | func NewClient(c *Config) (*Client, error) {
type RequestCallback (line 1701) | type RequestCallback
type ResponseCallback (line 1702) | type ResponseCallback
function RecordState (line 1742) | func RecordState(state *string) ResponseCallback {
function RequireState (line 1751) | func RequireState(states ...string) RequestCallback {
function compareReplicationStates (line 1762) | func compareReplicationStates(s1, s2 string) (int, error) {
function MergeReplicationStates (line 1791) | func MergeReplicationStates(old []string, new string) []string {
type WALState (line 1814) | type WALState struct
function ParseReplicationState (line 1820) | func ParseReplicationState(raw string, hmacKey []byte) (*WALState, error) {
function ForwardInconsistent (line 1869) | func ForwardInconsistent() RequestCallback {
function ForwardAlways (line 1878) | func ForwardAlways() RequestCallback {
function DefaultRetryPolicy (line 1888) | func DefaultRetryPolicy(ctx context.Context, resp *http.Response, err er...
type replicationStateStore (line 1901) | type replicationStateStore struct
method recordState (line 1908) | func (w *replicationStateStore) recordState(resp *Response) {
method requireState (line 1918) | func (w *replicationStateStore) requireState(req *Request) {
method states (line 1927) | func (w *replicationStateStore) states() []string {
function validateToken (line 1936) | func validateToken(t string) error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/hcl_dup_attr_deprecation.go
constant allowHclDuplicatesEnvVar (line 19) | allowHclDuplicatesEnvVar = "VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_AT...
function parseAndCheckForDuplicateHclAttributes (line 26) | func parseAndCheckForDuplicateHclAttributes(input string) (res *ast.File...
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/help.go
method Help (line 13) | func (c *Client) Help(path string) (*Help, error) {
method HelpWithContext (line 18) | func (c *Client) HelpWithContext(ctx context.Context, path string) (*Hel...
type Help (line 36) | type Help struct
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/kv.go
type KVSecret (line 23) | type KVSecret struct
method KVv1 (line 42) | func (c *Client) KVv1(mountPath string) *KVv1 {
method KVv2 (line 57) | func (c *Client) KVv2(mountPath string) *KVv2 {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/kv_v1.go
type KVv1 (line 11) | type KVv1 struct
method Get (line 17) | func (kv *KVv1) Get(ctx context.Context, secretPath string) (*KVSecret...
method Put (line 39) | func (kv *KVv1) Put(ctx context.Context, secretPath string, data map[s...
method Delete (line 51) | func (kv *KVv1) Delete(ctx context.Context, secretPath string) error {
FILE: third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/kv_v2.go
type KVv2 (line 18) | type KVv2 struct
method Get (line 115) | func (kv *KVv2) Get(ctx context.Context, secretPath string) (*KVSecret...
method GetVersion (line 144) | func (kv *KVv2) GetVersion(ctx context.Context, secretPath string, ver...
method GetVersionsAsList (line 167) | func (kv *KVv2) GetVersionsAsList(ctx context.Context, secretPath stri...
method GetMetadata (line 194) | func (kv *KVv2) GetMetadata(ctx context.Context, secretPath string) (*...
method Put (line 219) | func (kv *KVv2) Put(ctx context.Context, secretPath string, data map[s...
method PutMetadata (line 270) | func (kv *KVv2) PutMetadata(ctx context.Context, secretPath string, me...
method Patch (line 304) | func (kv *KVv2) Patch(ctx context.Context, secretPath string, newData ...
method PatchMetadata (line 345) | func (kv *KVv2) PatchMetadata(ctx context.Context, secretPath string, ...
method Delete (line 363) | func (kv *KVv2) Delete(ctx context.Context, secretPath string) error {
method DeleteVersions (line 376) | func (kv *KVv2) DeleteVersions(ctx context.Context, secretPath string,...
method DeleteMetadata (line 401) | func (kv *KVv2) DeleteMetadata(ctx context.Context, secretPath string)...
method Undelete (line 416) | func (kv *KVv2) Undelete(ctx context.Context, secretPath string, versi...
method Destroy (line 436) | func (kv *KVv2) Destroy(ctx context.Context, secretPath string, versio...
method Rollback (line 454) | func (kv *KVv2) Rollback(ctx context.Context, secretPath string, toVer...
type KVMetadata (line 24) | type KVMetadata struct
type KVMetadataPutInput (line 43) | type KVMetadataPutInput struct
type KVMetadataPatchInput (line 60) | type KVMetadataPatchInput struct
type KVVersionMetadata (line 68) | type KVVersionMetadata struct
type KVOption (line 76) | type KVOption
constant KVOptionCheckAndSet (line 79) | KVOptionCheckAndSet = "cas"
constant KVOptionMethod (line 80) | KVOptionMethod = "method"
constant KVMergeMethodPatch (line 81) | KVMergeMethodPatch = "patch"
constant KVMergeMethodReadWrite (line 82) | KVMergeMethodReadWrite = "rw"
function WithOption (line 87) | func WithOption(key string, value interface{}) KVOption {
function WithCheckAndSet (line 98) | func WithCheckAndSet(cas int) KVOption {
function WithMergeMethod (line 106) | func WithMergeMethod(method string) KVOption {
function extractCustomMetadata (line 491) | func extractCustomMetadata(secret *Secret) map[string]interface{} {
function extractDataAndVersionMetadata (line 511) | func extractDataAndVersionMetadata(secret *Secret) (*KVSecret, error) {
function extractVersionMetadata (line 542) | func extractVersionMetadata(secret *Secret) (*KVVersionMetadata, error) {
function extractFullMetadata (line 583) | func extractFullMetadata(secret *Secret) (*KVMetadata, error) {
function validateRollbackVersion (line 630) | func validateRollbackVersion(rollbackVersion *KVSecret) error {
function mergePatch (line 658) | func mergePatch(ctx context.Context, client *Client, mountPath string, s...
function readThenWrite (line 717) | func readThenWrite(ctx context.Context, client *Client, mountPath string...
Condensed preview — 813 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (5,331K chars).
[
{
"path": ".gitattributes",
"chars": 196,
"preview": "# This file is documented at https://git-scm.com/docs/gitattributes.\n# Linguist-specific attributes are documented at\n# "
},
{
"path": ".github/dependabot.yml",
"chars": 1034,
"preview": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/build.yaml",
"chars": 2017,
"preview": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/codeql-analysis.yml",
"chars": 2052,
"preview": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/depsreview.yml",
"chars": 864,
"preview": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/donotsubmit.yaml",
"chars": 425,
"preview": "name: Do Not Submit\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\npermissions: read-all\n\njobs:\n\n donotsub"
},
{
"path": ".github/workflows/kind-cluster-image-policy-no-tuf.yaml",
"chars": 7091,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/kind-cluster-image-policy-trustroot.yaml",
"chars": 7389,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/kind-cluster-image-policy-tsa.yaml",
"chars": 8556,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/kind-cluster-image-policy.yaml",
"chars": 8409,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/kind-e2e-cosigned.yaml",
"chars": 8453,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/kind-e2e-trustroot-crd.yaml",
"chars": 7110,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/lint.yaml",
"chars": 657,
"preview": "name: golangci-lint\non:\n push:\n branches:\n - main\n pull_request:\n\npermissions: {}\n\njobs:\n golangci:\n name:"
},
{
"path": ".github/workflows/milestone.yaml",
"chars": 1494,
"preview": "name: Milestone\n\non:\n pull_request_target:\n types: [closed]\n branches:\n - main\n\njobs:\n milestone:\n runs-"
},
{
"path": ".github/workflows/policy-tester-examples.yml",
"chars": 5176,
"preview": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/release-snapshot.yaml",
"chars": 1368,
"preview": "name: snapshot\n\non:\n pull_request:\n\npermissions:\n contents: read\n\njobs:\n snapshot:\n\n runs-on: ubuntu-latest\n st"
},
{
"path": ".github/workflows/release.yaml",
"chars": 3658,
"preview": "name: Cut Release\n\non:\n push:\n tags:\n - \"v*\"\n\nconcurrency: cut-release\n\npermissions:\n contents: write # needed"
},
{
"path": ".github/workflows/scorecard_action.yml",
"chars": 2077,
"preview": "name: Scorecards supply-chain security\non:\n # Only the default branch is supported.\n branch_protection_rule:\n schedul"
},
{
"path": ".github/workflows/style.yaml",
"chars": 1074,
"preview": "name: Code Style\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\npermissions: read-all\n\njobs:\n gofmt:\n n"
},
{
"path": ".github/workflows/tests.yaml",
"chars": 2749,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": ".github/workflows/verify-codegen.yaml",
"chars": 1636,
"preview": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/verify-docs.yaml",
"chars": 1623,
"preview": "#\n# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".github/workflows/whitespace.yaml",
"chars": 556,
"preview": "name: Whitespace\n\non:\n pull_request:\n branches: [ 'main', 'release-*' ]\n\npermissions: read-all\n\njobs:\n\n whitespace:"
},
{
"path": ".gitignore",
"chars": 556,
"preview": "# Binaries for programs and plugins\n.DS_STORE\n*.exe\n*.exe~\n*.dll\n*.so\n*.dylib\n\n# Test binary, built with `go test -c`\n*."
},
{
"path": ".golangci.yml",
"chars": 1625,
"preview": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": ".goreleaser.yaml",
"chars": 1902,
"preview": "project_name: policy-controller\nversion: 2\n\nenv:\n - GO111MODULE=on\n - COSIGN_YES=true\n\nbefore:\n hooks:\n - go mod t"
},
{
"path": ".ko.yaml",
"chars": 935,
"preview": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": "CHANGELOG.md",
"chars": 2972,
"preview": "# v0.12.0\n\n* drop 1.27/28 and add 1.30/31/32 k8s\n* fix post submit job\n* Use v0.7.18 for scaffolding, update k8s version"
},
{
"path": "CODEOWNERS",
"chars": 111,
"preview": "# The CODEOWNERS are managed via a GitHub team, but the current list is (in alphabetical order):\n#\n# lukehinds\n"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 3214,
"preview": "# Code of Conduct\n\n## Our Pledge\n\nIn the interest of fostering an open and welcoming environment, we as\ncontributors and"
},
{
"path": "COPYRIGHT.txt",
"chars": 563,
"preview": "\nCopyright 2021 The Sigstore Authors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use t"
},
{
"path": "LICENSE",
"chars": 11357,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Makefile",
"chars": 6524,
"preview": "#\n# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may n"
},
{
"path": "README.md",
"chars": 7121,
"preview": "<p align=\"center\">\n <img style=\"max-width: 100%;width: 300px;\" src=\"https://raw.githubusercontent.com/sigstore/communit"
},
{
"path": "cmd/api-docs/main.go",
"chars": 7941,
"preview": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/local-dev/clean.go",
"chars": 2657,
"preview": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/local-dev/main.go",
"chars": 643,
"preview": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/local-dev/root.go",
"chars": 1017,
"preview": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/local-dev/setup.go",
"chars": 6926,
"preview": "//\n// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/sample/main.go",
"chars": 675,
"preview": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/schema/main.go",
"chars": 1231,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "cmd/tester/main.go",
"chars": 7374,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/tester/trustroot.go",
"chars": 1924,
"preview": "//\n// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/webhook/depcheck_test.go",
"chars": 1060,
"preview": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "cmd/webhook/main.go",
"chars": 16248,
"preview": "//\n// Copyright 2021 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "config/100-namespace.yaml",
"chars": 701,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/200-clusterrole.yaml",
"chars": 3324,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/200-role.yaml",
"chars": 1696,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/200-serviceaccount.yaml",
"chars": 676,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/201-clusterrolebinding.yaml",
"chars": 877,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/201-rolebinding.yaml",
"chars": 900,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/300-clusterimagepolicy.yaml",
"chars": 46352,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/300-trustroot.yaml",
"chars": 9442,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/400-webhook-service.yaml",
"chars": 754,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/500-webhook-configuration.yaml",
"chars": 1780,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/501-policy-webhook-configurations.yaml",
"chars": 1406,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/config-image-policies.yaml",
"chars": 1213,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/config-leader-election.yaml",
"chars": 2173,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/config-logging.yaml",
"chars": 2011,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/config-observability.yaml",
"chars": 2114,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/config-policy-controller.yaml",
"chars": 918,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/config-sigstore-keys.yaml",
"chars": 7429,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/dummy.go",
"chars": 710,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "config/kustomization.yaml",
"chars": 1157,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "config/webhook.yaml",
"chars": 3722,
"preview": "# Copyright 2021 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "docs/api-types/index-v1alpha1.md",
"chars": 20367,
"preview": "\n\n# API Documentation (v1alpha1)\n\n> This document is automatically generated from the API definition in the code.\n\n## Ta"
},
{
"path": "docs/api-types/index.md",
"chars": 13999,
"preview": "\n\n# API Documentation (v1beta1)\n\n> This document is automatically generated from the API definition in the code.\n\n## Tab"
},
{
"path": "examples/README.md",
"chars": 5559,
"preview": "# Examples\n\n*Note: adding a new example here? Make sure to add test\nfor it in\n[`../.github/workflows/policy-tester-examp"
},
{
"path": "examples/keys/cosign.key",
"chars": 649,
"preview": "-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX"
},
{
"path": "examples/keys/cosign.pub",
"chars": 178,
"preview": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOc6HkISHzVdUbtUsdjYtPuyPYBeg\n4FCemyVurIM4KEORQk4OAu8ZNwxv"
},
{
"path": "examples/policies/allow-only-pods.yaml",
"chars": 919,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/policies/custom-key-attestation-sbom-spdxjson.yaml",
"chars": 1410,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/policies/keyless-attestation-sbom-spdxjson.yaml",
"chars": 1452,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/policies/release-signed-by-github-actions.yaml",
"chars": 1594,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/policies/signed-by-aws-kms-key.yaml",
"chars": 1187,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/policies/signed-by-gcp-kms-key.yaml",
"chars": 1109,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/policies/signed-by-github-actions.yaml",
"chars": 1520,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "examples/sboms/example.spdx.json",
"chars": 1415,
"preview": "{\n \"spdxVersion\": \"SPDX-2.2\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"creationInfo\": {\n \"crea"
},
{
"path": "go.mod",
"chars": 17061,
"preview": "module github.com/sigstore/policy-controller\n\ngo 1.25.7\n\nrequire (\n\tgithub.com/aws/aws-sdk-go-v2 v1.41.2\n\tgithub.com/gol"
},
{
"path": "go.sum",
"chars": 139019,
"preview": "al.essio.dev/pkg/shellescape v1.6.0 h1:NxFcEqzFSEVCGN2yq7Huv/9hyCEGVa/TncnOOBBeXHA=\nal.essio.dev/pkg/shellescape v1.6.0/"
},
{
"path": "hack/boilerplate/boilerplate.go.txt",
"chars": 599,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "hack/gentestdata/gentestdata.go",
"chars": 9407,
"preview": "// Copyright 2024 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "hack/github-oidc-setup.sh",
"chars": 3487,
"preview": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"Lice"
},
{
"path": "hack/tools.go",
"chars": 1185,
"preview": "//go:build tools\n// +build tools\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "hack/update-codegen.sh",
"chars": 3487,
"preview": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"Lice"
},
{
"path": "hack/update-deps.sh",
"chars": 860,
"preview": "#!/usr/bin/env bash\n\n# Copyright 2022 The Sigstore Authors\n#\n# Licensed under the Apache License, Version 2.0 (the \"Lice"
},
{
"path": "images/dot/signatures.dot",
"chars": 1360,
"preview": "digraph {\n compound=true;\n rankdir=\"LR\";\n ordering = in;\n\n subgraph cluster_registry {\n label = \"registry\";\n\n "
},
{
"path": "pkg/apis/config/doc.go",
"chars": 985,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/config/image_policies.go",
"chars": 4957,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/config/image_policies_test.go",
"chars": 11635,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/config/sigstore_keys.go",
"chars": 9221,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/config/sigstore_keys_test.go",
"chars": 4241,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/config/store.go",
"chars": 2938,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/config/store_test.go",
"chars": 2851,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/config/testdata/config-image-policies.yaml",
"chars": 7104,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "pkg/apis/config/testdata/config-invalid-image-policy.yaml",
"chars": 1306,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "pkg/apis/config/testdata/config-sigstore-keys.yaml",
"chars": 6034,
"preview": "# Copyright 2022 The Sigstore Authors.\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not"
},
{
"path": "pkg/apis/duck/v1beta1/doc.go",
"chars": 751,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_defaults.go",
"chars": 1454,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_defaults_test.go",
"chars": 2588,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_implements_test.go",
"chars": 1003,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_types.go",
"chars": 3619,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_types_test.go",
"chars": 2231,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_validation.go",
"chars": 1522,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/podscalable_validation_test.go",
"chars": 2440,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/register.go",
"chars": 1902,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/duck/v1beta1/zz_generated.deepcopy.go",
"chars": 3764,
"preview": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed"
},
{
"path": "pkg/apis/glob/glob.go",
"chars": 3922,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/glob/glob_test.go",
"chars": 4701,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/common/validation.go",
"chars": 6871,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/common/validation_test.go",
"chars": 1769,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/register.go",
"chars": 987,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go",
"chars": 10323,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion_test.go",
"chars": 11108,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_defaults.go",
"chars": 1284,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_defaults_test.go",
"chars": 4336,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle.go",
"chars": 3459,
"preview": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle_test.go",
"chars": 5980,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_types.go",
"chars": 15793,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_validation.go",
"chars": 13151,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/clusterimagepolicy_validation_test.go",
"chars": 45915,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/doc.go",
"chars": 679,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/register.go",
"chars": 1918,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/trustroot_defaults.go",
"chars": 1019,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/trustroot_defaults_test.go",
"chars": 1937,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/trustroot_lifecycle.go",
"chars": 2543,
"preview": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/trustroot_types.go",
"chars": 8420,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/trustroot_validation.go",
"chars": 7595,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/trustroot_validation_test.go",
"chars": 13199,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1alpha1/zz_generated.deepcopy.go",
"chars": 20690,
"preview": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_conversion.go",
"chars": 1142,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_conversion_test.go",
"chars": 1370,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_defaults.go",
"chars": 1283,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_defaults_test.go",
"chars": 4346,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_lifecycle.go",
"chars": 3458,
"preview": "// Copyright 2023 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_types.go",
"chars": 15658,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_validation.go",
"chars": 13256,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/clusterimagepolicy_validation_test.go",
"chars": 48940,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/doc.go",
"chars": 678,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/register.go",
"chars": 1880,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/apis/policy/v1beta1/zz_generated.deepcopy.go",
"chars": 13393,
"preview": "//go:build !ignore_autogenerated\n// +build !ignore_autogenerated\n\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed"
},
{
"path": "pkg/apis/signaturealgo/signature_digest.go",
"chars": 1457,
"preview": "//\n// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you "
},
{
"path": "pkg/apis/signaturealgo/signature_digest_test.go",
"chars": 1487,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/clientset.go",
"chars": 4407,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/doc.go",
"chars": 723,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/fake/clientset_generated.go",
"chars": 3304,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/fake/doc.go",
"chars": 723,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/fake/register.go",
"chars": 1998,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/scheme/doc.go",
"chars": 739,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/scheme/register.go",
"chars": 2054,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/duck/v1beta1/doc.go",
"chars": 725,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/duck/v1beta1/duck_client.go",
"chars": 3045,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/duck/v1beta1/fake/doc.go",
"chars": 716,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/duck/v1beta1/fake/fake_duck_client.go",
"chars": 995,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/duck/v1beta1/generated_expansion.go",
"chars": 662,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/clusterimagepolicy.go",
"chars": 7393,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/doc.go",
"chars": 726,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/doc.go",
"chars": 716,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_clusterimagepolicy.go",
"chars": 5918,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_policy_client.go",
"chars": 1337,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/fake/fake_trustroot.go",
"chars": 5289,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/generated_expansion.go",
"chars": 746,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/policy_client.go",
"chars": 3349,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1alpha1/trustroot.go",
"chars": 6643,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/clusterimagepolicy.go",
"chars": 7365,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/doc.go",
"chars": 725,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/fake/doc.go",
"chars": 716,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/fake/fake_clusterimagepolicy.go",
"chars": 5888,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/fake/fake_policy_client.go",
"chars": 1229,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/generated_expansion.go",
"chars": 708,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/clientset/versioned/typed/policy/v1beta1/policy_client.go",
"chars": 3219,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/factory.go",
"chars": 8880,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/generic.go",
"chars": 2583,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go",
"chars": 1469,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/policy/interface.go",
"chars": 2046,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/policy/v1alpha1/clusterimagepolicy.go",
"chars": 3838,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/policy/v1alpha1/interface.go",
"chars": 1928,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/policy/v1alpha1/trustroot.go",
"chars": 3637,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/policy/v1beta1/clusterimagepolicy.go",
"chars": 3826,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/informers/externalversions/policy/v1beta1/interface.go",
"chars": 1669,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/client/client.go",
"chars": 1983,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/client/fake/fake.go",
"chars": 1816,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/ducks/duck/v1beta1/podscalable/fake/fake.go",
"chars": 913,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/ducks/duck/v1beta1/podscalable/podscalable.go",
"chars": 1820,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/factory/factory.go",
"chars": 1987,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/factory/fake/fake.go",
"chars": 1563,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/factory/filtered/fake/fake_filtered_factory.go",
"chars": 2045,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/factory/filtered/filtered_factory.go",
"chars": 2646,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/clusterimagepolicy.go",
"chars": 1811,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/fake/fake.go",
"chars": 1322,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered/clusterimagepolicy.go",
"chars": 2238,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/clusterimagepolicy/filtered/fake/fake.go",
"chars": 1713,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/fake/fake.go",
"chars": 1276,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered/fake/fake.go",
"chars": 1694,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/filtered/trustroot.go",
"chars": 2201,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1alpha1/trustroot/trustroot.go",
"chars": 1765,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/clusterimagepolicy.go",
"chars": 1805,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/fake/fake.go",
"chars": 1320,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered/clusterimagepolicy.go",
"chars": 2232,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
},
{
"path": "pkg/client/injection/informers/policy/v1beta1/clusterimagepolicy/filtered/fake/fake.go",
"chars": 1711,
"preview": "// Copyright 2022 The Sigstore Authors.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may"
}
]
// ... and 613 more files (download for full content)
About this extraction
This page contains the full source code of the sigstore/policy-controller GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 813 files (4.8 MB), approximately 1.3M tokens, and a symbol index with 2945 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.