fix: remove unimplemented field from HelmChart CRD

api/v1/helmchart_types.go

@@ -86,7 +86,7 @@ type HelmChartSpec struct {
 	// This field is only supported when using HelmRepository source with spec.type 'oci'.
 	// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
 	// +optional
-	Verify *OCIRepositoryVerification `json:"verify,omitempty"`
+	Verify *HelmChartVerification `json:"verify,omitempty"`
 }
 
 const (

api/v1/ociverification_types.go

@@ -47,6 +47,26 @@ type OCIRepositoryVerification struct {
 	TrustedRootSecretRef *meta.LocalObjectReference `json:"trustedRootSecretRef,omitempty"`
 }
 
+// HelmChartVerification verifies the authenticity of an OCI Artifact
+type HelmChartVerification struct {
+	// Provider specifies the technology used to sign the OCI Artifact.
+	// +kubebuilder:validation:Enum=cosign;notation
+	// +kubebuilder:default:=cosign
+	Provider string `json:"provider"`
+
+	// SecretRef specifies the Kubernetes Secret containing the
+	// trusted public keys.
+	// +optional
+	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// MatchOIDCIdentity specifies the identity matching criteria to use
+	// while verifying an OCI artifact which was signed using Cosign keyless
+	// signing. The artifact's identity is deemed to be verified if any of the
+	// specified matchers match against the identity.
+	// +optional
+	MatchOIDCIdentity []OIDCIdentityMatch `json:"matchOIDCIdentity,omitempty"`
+}
+
 // OIDCIdentityMatch specifies options for verifying the certificate identity,
 // i.e. the issuer and the subject of the certificate.
 type OIDCIdentityMatch struct {

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -184,19 +184,6 @@ spec:
                     required:
                     - name
                     type: object
-                  trustedRootSecretRef:
-                    description: |-
-                      TrustedRootSecretRef specifies the Kubernetes Secret containing a
-                      Sigstore trusted_root.json file. This enables verification against
-                      self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted
-                      Rekor instance). The Secret must contain a key named "trusted_root.json".
-                    properties:
-                      name:
-                        description: Name of the referent.
-                        type: string
-                    required:
-                    - name
-                    type: object
                 required:
                 - provider
                 type: object

docs/api/v1/source.md

@@ -757,8 +757,8 @@ source.</p>
 <td>
 <code>verify</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1.OCIRepositoryVerification">
-OCIRepositoryVerification
+<a href="#source.toolkit.fluxcd.io/v1.HelmChartVerification">
+HelmChartVerification
 </a>
 </em>
 </td>
@@ -2638,8 +2638,8 @@ source.</p>
 <td>
 <code>verify</code><br>
 <em>
-<a href="#source.toolkit.fluxcd.io/v1.OCIRepositoryVerification">
-OCIRepositoryVerification
+<a href="#source.toolkit.fluxcd.io/v1.HelmChartVerification">
+HelmChartVerification
 </a>
 </em>
 </td>
@@ -2787,6 +2787,70 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
 </table>
 </div>
 </div>
+<h3 id="source.toolkit.fluxcd.io/v1.HelmChartVerification">HelmChartVerification
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1.HelmChartSpec">HelmChartSpec</a>)
+</p>
+<p>HelmChartVerification verifies the authenticity of an OCI Artifact</p>
+<div class="md-typeset__scrollwrap">
+<div class="md-typeset__table">
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>provider</code><br>
+<em>
+string
+</em>
+</td>
+<td>
+<p>Provider specifies the technology used to sign the OCI Artifact.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>secretRef</code><br>
+<em>
+<a href="https://pkg.go.dev/github.com/fluxcd/pkg/apis/meta#LocalObjectReference">
+github.com/fluxcd/pkg/apis/meta.LocalObjectReference
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SecretRef specifies the Kubernetes Secret containing the
+trusted public keys.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>matchOIDCIdentity</code><br>
+<em>
+<a href="#source.toolkit.fluxcd.io/v1.OIDCIdentityMatch">
+[]OIDCIdentityMatch
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>MatchOIDCIdentity specifies the identity matching criteria to use
+while verifying an OCI artifact which was signed using Cosign keyless
+signing. The artifact&rsquo;s identity is deemed to be verified if any of the
+specified matchers match against the identity.</p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
 <h3 id="source.toolkit.fluxcd.io/v1.HelmRepositorySpec">HelmRepositorySpec
 </h3>
 <p>
@@ -3605,7 +3669,6 @@ github.com/fluxcd/pkg/apis/meta.ReconcileRequestStatus
 </h3>
 <p>
 (<em>Appears on:</em>
-<a href="#source.toolkit.fluxcd.io/v1.HelmChartSpec">HelmChartSpec</a>, 
 <a href="#source.toolkit.fluxcd.io/v1.OCIRepositorySpec">OCIRepositorySpec</a>)
 </p>
 <p>OCIRepositoryVerification verifies the authenticity of an OCI Artifact</p>
@@ -3687,6 +3750,7 @@ Rekor instance). The Secret must contain a key named &ldquo;trusted_root.json&rd
 </h3>
 <p>
 (<em>Appears on:</em>
+<a href="#source.toolkit.fluxcd.io/v1.HelmChartVerification">HelmChartVerification</a>, 
 <a href="#source.toolkit.fluxcd.io/v1.OCIRepositoryVerification">OCIRepositoryVerification</a>)
 </p>
 <p>OIDCIdentityMatch specifies options for verifying the certificate identity,

internal/controller/helmchart_controller_test.go

@@ -2903,7 +2903,7 @@ func TestHelmChartRepository_reconcileSource_verifyOCISourceSignature_keyless(t
 					},
 					Version: tt.version,
 					Chart:   "podinfo",
-					Verify: &sourcev1.OCIRepositoryVerification{
+					Verify: &sourcev1.HelmChartVerification{
 						Provider: "cosign",
 					},
 				},
@@ -3017,7 +3017,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureNotation(t *t
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "notation",
 					SecretRef: &meta.LocalObjectReference{Name: "notation-config"},
 				}
@@ -3036,7 +3036,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureNotation(t *t
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "notation",
 					SecretRef: &meta.LocalObjectReference{Name: "notation-config"},
 				}
@@ -3057,7 +3057,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureNotation(t *t
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "notation",
 					SecretRef: &meta.LocalObjectReference{Name: "notation-config"},
 				}
@@ -3096,7 +3096,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureNotation(t *t
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "notation",
 					SecretRef: &meta.LocalObjectReference{Name: "notation-config"},
 				}
@@ -3116,7 +3116,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureNotation(t *t
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "notation",
 					SecretRef: &meta.LocalObjectReference{Name: "notation-config"},
 				}
@@ -3341,7 +3341,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "cosign",
 					SecretRef: &meta.LocalObjectReference{Name: "cosign-key"},
 				}
@@ -3359,7 +3359,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider: "cosign",
 				}
 			},
@@ -3376,7 +3376,7 @@ func TestHelmChartReconciler_reconcileSourceFromOCI_verifySignatureCosign(t *tes
 			beforeFunc: func(obj *sourcev1.HelmChart) {
 				obj.Spec.Chart = metadata.Name
 				obj.Spec.Version = metadata.Version
-				obj.Spec.Verify = &sourcev1.OCIRepositoryVerification{
+				obj.Spec.Verify = &sourcev1.HelmChartVerification{
 					Provider:  "cosign",
 					SecretRef: &meta.LocalObjectReference{Name: "cosign-key"},
 				}