chore: update CRD and related code to enable type field (ratify-pro…

…ject#1779)

Co-authored-by: Binbin Li <[email protected]>

api/unversioned/keymanagementprovider_types.go

@@ -32,6 +32,10 @@ type KeyManagementProviderSpec struct {
 	// Name of the key management provider
 	Type string `json:"type,omitempty"`
 
+	// Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:default=""
+	RefreshInterval string `json:"refreshInterval,omitempty"`
+
 	// Parameters of the key management provider
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`
 }

api/unversioned/namespacedkeymanagementprovider_types.go

@@ -33,6 +33,10 @@ type NamespacedKeyManagementProviderSpec struct {
 	// Name of the key management provider
 	Type string `json:"type,omitempty"`
 
+	// Refresh interval for fetching the certificate/key files from the provider. Only for providers that are refreshable. The value is in the format of "1h30m" where "h" means hour and "m" means minute. Valid time units are units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:default=""
+	RefreshInterval string `json:"refreshInterval,omitempty"`
+
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// Parameters of the key management provider
 	Parameters runtime.RawExtension `json:"parameters,omitempty"`

api/unversioned/namespacedverifier_types.go

@@ -27,19 +27,22 @@ type NamespacedVerifierSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	// Name of the verifier
+	// Name of the verifier. Deprecated
 	Name string `json:"name"`
 
+	// Type of the verifier. Optional
+	Type string `json:"type,omitempty"`
+
 	// Version of the verifier plugin. Optional
 	Version string `json:"version,omitempty"`
 
 	// The type of artifact this verifier handles
 	ArtifactTypes string `json:"artifactTypes"`
 
-	// # Optional. URL/file path
+	// URL/file path. Optional
 	Address string `json:"address,omitempty"`
 
-	// OCI Artifact source to download the plugin from, optional
+	// OCI Artifact source to download the plugin from. Optional
 	Source *PluginSource `json:"source,omitempty"`
 
 	// Parameters for this verifier

api/unversioned/verifier_types.go

@@ -26,19 +26,22 @@ import (
 type VerifierSpec struct {
 	// Important: Run "make" to regenerate code after modifying this file
 
-	// Name of the verifier
+	// Name of the verifier. Deprecated
 	Name string `json:"name,omitempty"`
 
+	// Type of the verifier. Optional
+	Type string `json:"type,omitempty"`
+
 	// Version of the verifier plugin. Optional
 	Version string `json:"version,omitempty"`
 
 	// The type of artifact this verifier handles
 	ArtifactTypes string `json:"artifactTypes,omitempty"`
 
-	// # Optional. URL/file path
+	// URL/file path. Optional
 	Address string `json:"address,omitempty"`
 
-	// OCI Artifact source to download the plugin from, optional
+	// OCI Artifact source to download the plugin from. Optional
 	Source *PluginSource `json:"source,omitempty"`
 
 	// Parameters for this verifier

api/v1beta1/namespacedverifier_types.go

@@ -29,19 +29,22 @@ type NamespacedVerifierSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	// Name of the verifier
+	// Name of the verifier. Deprecated
 	Name string `json:"name"`
 
+	// Type of the verifier. Optional
+	Type string `json:"type,omitempty"`
+
 	// Version of the verifier plugin. Optional
 	Version string `json:"version,omitempty"`
 
 	// The type of artifact this verifier handles
 	ArtifactTypes string `json:"artifactTypes"`
 
-	// # Optional. URL/file path
+	// URL/file path. Optional
 	Address string `json:"address,omitempty"`
 
-	// OCI Artifact source to download the plugin from, optional
+	// OCI Artifact source to download the plugin from. Optional
 	Source *PluginSource `json:"source,omitempty"`
 
 	// +kubebuilder:pruning:PreserveUnknownFields

api/v1beta1/verifier_types.go

@@ -25,19 +25,22 @@ import (
 type VerifierSpec struct {
 	// Important: Run "make install-crds" to regenerate code after modifying this file
 
-	// Name of the verifier
+	// Name of the verifier. Deprecated
 	Name string `json:"name"`
 
+	// Type of the verifier. Optional
+	Type string `json:"type,omitempty"`
+
 	// Version of the verifier plugin. Optional
 	Version string `json:"version,omitempty"`
 
 	// The type of artifact this verifier handles
 	ArtifactTypes string `json:"artifactTypes"`
 
-	// # Optional. URL/file path
+	// URL/file path. Optional
 	Address string `json:"address,omitempty"`
 
-	// OCI Artifact source to download the plugin from, optional
+	// OCI Artifact source to download the plugin from. Optional
 	Source *PluginSource `json:"source,omitempty"`
 
 	// +kubebuilder:pruning:PreserveUnknownFields

config/crd/bases/config.ratify.deislabs.io_namespacedverifiers.yaml

@@ -48,20 +48,20 @@ spec:
             description: NamespacedVerifierSpec defines the desired state of NamespacedVerifier
             properties:
               address:
-                description: '# Optional. URL/file path'
+                description: URL/file path. Optional
                 type: string
               artifactTypes:
                 description: The type of artifact this verifier handles
                 type: string
               name:
-                description: Name of the verifier
+                description: Name of the verifier. Deprecated
                 type: string
               parameters:
                 description: Parameters for this verifier
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
               source:
-                description: OCI Artifact source to download the plugin from, optional
+                description: OCI Artifact source to download the plugin from. Optional
                 properties:
                   artifact:
                     description: OCI Artifact source to download the plugin from
@@ -72,6 +72,9 @@ spec:
                     type: object
                     x-kubernetes-preserve-unknown-fields: true
                 type: object
+              type:
+                description: Type of the verifier. Optional
+                type: string
               version:
                 description: Version of the verifier plugin. Optional
                 type: string

config/crd/bases/config.ratify.deislabs.io_verifiers.yaml

@@ -107,20 +107,20 @@ spec:
             description: VerifierSpec defines the desired state of Verifier
             properties:
               address:
-                description: '# Optional. URL/file path'
+                description: URL/file path. Optional
                 type: string
               artifactTypes:
                 description: The type of artifact this verifier handles
                 type: string
               name:
-                description: Name of the verifier
+                description: Name of the verifier. Deprecated
                 type: string
               parameters:
                 description: Parameters for this verifier
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
               source:
-                description: OCI Artifact source to download the plugin from, optional
+                description: OCI Artifact source to download the plugin from. Optional
                 properties:
                   artifact:
                     description: OCI Artifact source to download the plugin from
@@ -131,6 +131,9 @@ spec:
                     type: object
                     x-kubernetes-preserve-unknown-fields: true
                 type: object
+              type:
+                description: Type of the verifier. Optional
+                type: string
               version:
                 description: Version of the verifier plugin. Optional
                 type: string

pkg/controllers/clusterresource/verifier_controller.go

@@ -85,7 +85,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 
 // creates a verifier reference from CR spec and add verifier to map
 func verifierAddOrReplace(spec configv1beta1.VerifierSpec, objectName string) error {
-	verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source)
+	verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetVerifierType(spec), spec.ArtifactTypes, spec.Source)
 	if err != nil {
 		errMsg := fmt.Sprintf("Unable to apply cluster-wide resource %s of Verifier kind", objectName)
 		logrus.Error(err, errMsg)

pkg/controllers/namespaceresource/verifier_controller.go

@@ -84,7 +84,7 @@ func (r *VerifierReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 
 // creates a verifier reference from CRD spec and add store to map
 func verifierAddOrReplace(spec configv1beta1.NamespacedVerifierSpec, objectName string, namespace string) error {
-	verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, spec.Name, spec.ArtifactTypes, spec.Source)
+	verifierConfig, err := cutils.SpecToVerifierConfig(spec.Parameters.Raw, objectName, cutils.GetVerifierType(spec), spec.ArtifactTypes, spec.Source)
 	if err != nil {
 		errMsg := fmt.Sprintf("Unable to apply the resource %s of NamespacedVerifier kind in the namespace %s", objectName, namespace)
 		logrus.Error(err, errMsg)

pkg/controllers/utils/verifier.go

@@ -72,3 +72,22 @@ func SpecToVerifierConfig(raw []byte, verifierName, verifierType, artifactTypes
 
 	return verifierConfig, nil
 }
+
+// GetVerifierType returns verifier type and is backward compatible with the deprecated name field
+func GetVerifierType(verifierSpec interface{}) string {
+	switch spec := verifierSpec.(type) {
+	case configv1beta1.VerifierSpec:
+		if spec.Type == "" {
+			return spec.Name
+		}
+		return spec.Type
+	case configv1beta1.NamespacedVerifierSpec:
+		if spec.Type == "" {
+			return spec.Name
+		}
+		return spec.Type
+	default:
+		logrus.Error("unable to assert verifierSpec type", spec)
+	}
+	return ""
+}

pkg/controllers/utils/verifier_test.go

@@ -119,3 +119,46 @@ func TestSpecToVerifierConfig(t *testing.T) {
 func resetVerifierMap() {
 	controllers.NamespacedVerifiers = verifiers.NewActiveVerifiers()
 }
+
+func TestGetType(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    interface{}
+		expected string
+	}{
+		{
+			name:     "cluster verifier spec with name",
+			input:    configv1beta1.VerifierSpec{Name: "clusterV"},
+			expected: "clusterV",
+		},
+		{
+			name:     "cluster verifier spec with type",
+			input:    configv1beta1.VerifierSpec{Type: "clusterV"},
+			expected: "clusterV",
+		},
+		{
+			name:     "namespaced verifier spec with name",
+			input:    configv1beta1.NamespacedVerifierSpec{Name: "namespacedV"},
+			expected: "namespacedV",
+		},
+		{
+			name:     "namespaced verifier spec with type",
+			input:    configv1beta1.NamespacedVerifierSpec{Type: "namespacedV"},
+			expected: "namespacedV",
+		},
+		{
+			name:     "verifier spec with no name or type",
+			input:    "",
+			expected: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			output := GetVerifierType(tt.input)
+			if tt.expected != output {
+				t.Fatalf("GetType() expected %v, actual %v", tt.expected, output)
+			}
+		})
+	}
+}