-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: policy.json BYOPKI signature verification API #2579
base: main
Are you sure you want to change the base?
Conversation
Signed-off-by: Qi Wang <[email protected]>
Hi @mtrmac , I’ve created this draft PR for the policy.json API change, could you take a look and provide your initial thoughts on the structure of the API update? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Looks good overall.
Earlier discussion openshift/enhancements#1658 .
Doing both the API and implementation in one PR works for me, having the API available but broken is not really helping anything.
@@ -167,6 +170,22 @@ type prSigstoreSignedFulcio struct { | |||
SubjectEmail string `json:"subjectEmail,omitempty"` | |||
} | |||
|
|||
// prSigstoreSignedPKI contains non-fulcio certificate PKI configuration options for prSigstoreSigned | |||
type prSigstoreSignedPKI struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There should be some public type callers can use to refer to the value. Following the other examples here, probably an interface with a private method, and public functions to construct it (NewPRSigstoreSignedPKI
etc.) using the “functional option” pattern.
CAIntermediatesPath string `json:"caIntermediatesPath"` | ||
// CAIntermediatesData contains accepted CA intermediate certificates in PEM format, all of that base64-encoded. Only one of CAIntermediatesPath or CAIntermediatesData can be specified, not both. | ||
CAIntermediatesData []byte `json:"caIntermediatesData"` | ||
// SubjectEmail specifies the expected email address imposed on the subject to which the certificate was issued. Exactly one of SubjectEmail and Hostname must be specified. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Nit: A blank line above would separate the two kinds of fields.)
// SubjectEmail specifies the expected email address imposed on the subject to which the certificate was issued. Exactly one of SubjectEmail and Hostname must be specified. | ||
SubjectEmail string `json:"subjectEmail"` | ||
// Hostname specifies the expected hostname imposed on the subject to which the certificate was issued. Exactly one of SubjectEmail and Hostname must be specified. | ||
Hostname string `json:"hostname"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hostname string `json:"hostname"` | |
SubjectHostname string `json:"subjectHostname"` |
No description provided.