trustedresources

package

v0.0.0-...-4fc8c9b Latest Latest Go to latest Published: Nov 28, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/OzoneCloud/tekton-pipeline

Links

Open Source Insights

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Constants ¶

View Source

const (
	// SignatureAnnotation is the key of signature in annotation map
	SignatureAnnotation = "tekton.dev/signature"
	// ConditionTrustedResourcesVerified specifies that the resources pass trusted resources verification or not.
	ConditionTrustedResourcesVerified apis.ConditionType = "TrustedResourcesVerified"
)

View Source

const (
	VerificationSkip = iota
	VerificationPass
	VerificationWarn
	VerificationError
)

Variables ¶

View Source

var (
	// ErrResourceVerificationFailed is returned when trusted resources fails verification.
	ErrResourceVerificationFailed = errors.New("resource verification failed")
	// ErrNoMatchedPolicies is returned when no policies are matched
	ErrNoMatchedPolicies = errors.New("no policies are matched")
	// ErrRegexMatch is returned when regex match returns error
	ErrRegexMatch = errors.New("regex failed to match")
	// ErrResourceNotSupported is returned when the resource type is not supported
	ErrResourceNotSupported = errors.New("resource type not supported")
)

Functions ¶

This section is empty.

Types ¶

type Hashable ¶

type Hashable interface {
	Checksum() ([]byte, error)
}

type VerificationResult ¶

type VerificationResult struct {
	// VerificationResultType has 4 types which is corresponding to 4 cases:
	// 0 (VerificationSkip): The verification was skipped. Err is nil in this case.
	// 1 (VerificationPass): The verification passed. Err is nil in this case.
	// 2 (VerificationWarn): A warning is logged. It could be no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail.
	// 3 (VerificationError): The verification failed, it could be the signature doesn't match the public key, no matching policies and "no-match-policy" is set to "fail" or there are errors during verification.
	VerificationResultType VerificationResultType
	// Err contains the error message when there is a warning logged or error returned.
	Err error
}

VerificationResult contains the type and message about the result of verification

func VerifyPipeline ¶

func VerifyPipeline(ctx context.Context, pipelineObj *v1beta1.Pipeline, k8s kubernetes.Interface, refSource *v1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult

VerifyPipeline is the deprecated, this is to keep backward compatibility

func VerifyResource ¶

func VerifyResource(ctx context.Context, resource metav1.Object, k8s kubernetes.Interface, refSource *v1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult

VerifyResource verifies the signature and public key against resource (v1beta1 and v1 task and pipeline). VerificationResult is returned with different types for different cases: 1) Return VerificationResult with VerificationSkip type, when no policies are found and no-match-policy is set to ignore 2) Return VerificationResult with VerificationPass type when verification passed; 3) Return VerificationResult with VerificationWarn type, when no matching policies and feature flag "no-match-policy" is "warn", or only Warn mode verification policies fail. Err field is filled with the warning; 4) Return VerificationResult with VerificationError type when no policies are found and no-match-policy is set to fail, the resource fails to pass matched enforce verification policy, or there are errors during verification. Err is filled with the err. refSource contains the source information of the resource.

func VerifyTask ¶

func VerifyTask(ctx context.Context, taskObj *v1beta1.Task, k8s kubernetes.Interface, refSource *v1.RefSource, verificationpolicies []*v1alpha1.VerificationPolicy) VerificationResult

VerifyTask is the deprecated, this is to keep backward compatibility

type VerificationResultType ¶

type VerificationResultType int

VerificationResultType indicates different cases of a verification result

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
verifier

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL