Add flags for issuer/subject OCI signature verification

This change introduces two new flags to `create source oci` for providing the values to the `OCIRepository.spec.verify.matchOIDCIdentity.(issuer,subject)` fields. Signed-off-by: Max Jonas Werner <mail@makk.es>
2026-02-06 19:05:55 +00:00 · 2024-04-16 19:32:55 +02:00
parent 90f3c5a5cb
commit 1bb92548e4
5 changed files with 110 additions and 14 deletions
--- a/cmd/flux/testdata/oci/export_with_complete_verification.golden
+++ b/cmd/flux/testdata/oci/export_with_complete_verification.golden
@@ -0,0 +1,16 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  interval: 0s
+  ref:
+    tag: 6.3.5
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+  verify:
+    matchOIDCIdentity:
+    - issuer: github
+      subject: stefanprodan
+    provider: cosign
--- a/cmd/flux/testdata/oci/export_with_issuer.golden
+++ b/cmd/flux/testdata/oci/export_with_issuer.golden
@@ -0,0 +1,16 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  interval: 0s
+  ref:
+    tag: 6.3.5
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+  verify:
+    matchOIDCIdentity:
+    - issuer: github
+      subject: ""
+    provider: cosign
--- a/cmd/flux/testdata/oci/export_with_subject.golden
+++ b/cmd/flux/testdata/oci/export_with_subject.golden
@@ -0,0 +1,16 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: OCIRepository
+metadata:
+  name: podinfo
+  namespace: flux-system
+spec:
+  interval: 0s
+  ref:
+    tag: 6.3.5
+  url: oci://ghcr.io/stefanprodan/manifests/podinfo
+  verify:
+    matchOIDCIdentity:
+    - issuer: ""
+      subject: stefanprodan
+    provider: cosign