{ "description": "VerificationPolicy defines the rules to verify Tekton resources.\nVerificationPolicy can config the mapping from resources to a list of public\nkeys, so when verifying the resources we can use the corresponding public keys.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "Spec holds the desired state of the VerificationPolicy.", "properties": { "authorities": { "description": "Authorities defines the rules for validating signatures.", "items": { "additionalProperties": false, "description": "The Authority block defines the keys for validating signatures.", "properties": { "key": { "additionalProperties": false, "description": "Key contains the public key to validate the resource.", "properties": { "data": { "description": "Data contains the inline public key.", "type": [ "string", "null" ] }, "hashAlgorithm": { "description": "HashAlgorithm always defaults to sha256 if the algorithm hasn't been explicitly set", "type": [ "string", "null" ] }, "kms": { "description": "KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.\nOne example of a KMS url could be:\ngcpkms://projects/[PROJECT]/locations/[LOCATION]\u003e/keyRings/[KEYRING]/cryptoKeys/[KEY]/cryptoKeyVersions/[KEY_VERSION]\nFor more examples please refer https://docs.sigstore.dev/cosign/kms_support.\nNote that the KMS is not supported yet.", "type": [ "string", "null" ] }, "secretRef": { "additionalProperties": false, "description": "SecretRef sets a reference to a secret with the key.", "properties": { "name": { "description": "name is unique within a namespace to reference a secret resource.", "type": [ "string", "null" ] }, "namespace": { "description": "namespace defines the space within which the secret name must be unique.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" } }, "type": [ "object", "null" ] }, "name": { "description": "Name is the name for this authority.", "type": "string" } }, "required": [ "name" ], "type": "object" }, "type": "array" }, "mode": { "description": "Mode controls whether a failing policy will fail the taskrun/pipelinerun, or only log the warnings\nenforce - fail the taskrun/pipelinerun if verification fails (default)\nwarn - don't fail the taskrun/pipelinerun if verification fails but log warnings", "type": [ "string", "null" ] }, "resources": { "description": "Resources defines the patterns of resources sources that should be subject to this policy.\nFor example, we may want to apply this Policy from a certain GitHub repo.\nThen the ResourcesPattern should be valid regex. E.g. If using gitresolver, and we want to config keys from a certain git repo.\n`ResourcesPattern` can be `https://github.com/tektoncd/catalog.git`, we will use regex to filter out those resources.", "items": { "additionalProperties": false, "description": "ResourcePattern defines the pattern of the resource source", "properties": { "pattern": { "description": "Pattern defines a resource pattern. Regex is created to filter resources based on `Pattern`\nExample patterns:\nGitHub resource: https://github.com/tektoncd/catalog.git, https://github.com/tektoncd/*\nBundle resource: gcr.io/tekton-releases/catalog/upstream/git-clone, gcr.io/tekton-releases/catalog/upstream/*\nHub resource: https://artifacthub.io/*,", "type": "string" } }, "required": [ "pattern" ], "type": "object" }, "type": "array" } }, "required": [ "authorities", "resources" ], "type": "object" } }, "required": [ "spec" ], "type": "object" }