Add status to ClusterImagePolicy + TrustRoot CRDs

config/300-clusterimagepolicy.yaml

@@ -327,6 +327,45 @@ spec:
                     type:
                       description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
                       type: string
+            status:
+              description: Status represents the current state of the ClusterImagePolicy. This data may be out of date.
+              type: object
+              properties:
+                annotations:
+                  description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                conditions:
+                  description: Conditions the latest available observations of a resource's current state.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - type
+                      - status
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
+                        type: string
+                      message:
+                        description: A human readable message indicating details about the transition.
+                        type: string
+                      reason:
+                        description: The reason for the condition's last transition.
+                        type: string
+                      severity:
+                        description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
+                        type: string
+                      status:
+                        description: Status of the condition, one of True, False, Unknown.
+                        type: string
+                      type:
+                        description: Type of condition.
+                        type: string
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64
     - name: v1beta1
       served: true
       storage: false
@@ -618,3 +657,42 @@ spec:
                     type:
                       description: Which kind of policy this is, currently only rego or cue are supported. Furthermore, only cue is tested :)
                       type: string
+            status:
+              description: Status represents the current state of the ClusterImagePolicy. This data may be out of date.
+              type: object
+              properties:
+                annotations:
+                  description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                conditions:
+                  description: Conditions the latest available observations of a resource's current state.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - type
+                      - status
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
+                        type: string
+                      message:
+                        description: A human readable message indicating details about the transition.
+                        type: string
+                      reason:
+                        description: The reason for the condition's last transition.
+                        type: string
+                      severity:
+                        description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
+                        type: string
+                      status:
+                        description: Status of the condition, one of True, False, Unknown.
+                        type: string
+                      type:
+                        description: Type of condition.
+                        type: string
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64

config/300-trustroot.yaml

@@ -141,3 +141,42 @@ spec:
                           uri:
                             description: The URI at which the CA can be accessed.
                             type: string
+            status:
+              description: Status represents the current state of the TrustRoot. This data may be out of date.
+              type: object
+              properties:
+                annotations:
+                  description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
+                  type: object
+                  x-kubernetes-preserve-unknown-fields: true
+                conditions:
+                  description: Conditions the latest available observations of a resource's current state.
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - type
+                      - status
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
+                        type: string
+                      message:
+                        description: A human readable message indicating details about the transition.
+                        type: string
+                      reason:
+                        description: The reason for the condition's last transition.
+                        type: string
+                      severity:
+                        description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
+                        type: string
+                      status:
+                        description: Status of the condition, one of True, False, Unknown.
+                        type: string
+                      type:
+                        description: Type of condition.
+                        type: string
+                observedGeneration:
+                  description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
+                  type: integer
+                  format: int64

docs/api-types/index-v1alpha1.md

@@ -106,12 +106,13 @@ TransparencyLogInstance describes the immutable parameters from a transparency l
 
 ## TrustRoot
 
-
+TrustRoot defines the keys and certificates that are trusted for validating against. These can be specified as TUF Roots, serialized TUF repository (for air-gap scenarios), as well as serialized keys/certificates, for bring your own keys/certs.
 
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | metadata |  | [metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta) | true |
 | spec | Spec is the definition for a trust root. This is either a TUF root and remote or local repository. You can also bring your own keys/certs here. | [TrustRootSpec](#trustrootspec) | true |
+| status | Status represents the current state of the TrustRoot. This data may be out of date. | [TrustRootStatus](#trustrootstatus) | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -138,6 +139,11 @@ TrustRootSpec defines a trusted Root. This is typically either a TUF Root or a b
 
 [Back to TOC](#table-of-contents)
 
+## TrustRootStatus
+
+TrustRootStatus represents the current state of a TrustRoot.
+
+
 ## Attestation
 
 Attestation defines the type of attestation to validate and optionally apply a policy decision to it. Authority block is used to verify the specified attestation types, and if Policy is specified, then it's applied only after the validation of the Attestation signature has been verified.
@@ -169,12 +175,13 @@ Attestation defines the type of attestation to validate and optionally apply a p
 
 ## ClusterImagePolicy
 
-
+ClusterImagePolicy defines the images that go through verification and the authorities used for verification
 
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | metadata |  | [metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta) | true |
 | spec | Spec holds the desired state of the ClusterImagePolicy (from the client). | [ClusterImagePolicySpec](#clusterimagepolicyspec) | true |
+| status | Status represents the current state of the ClusterImagePolicy. This data may be out of date. | [ClusterImagePolicyStatus](#clusterimagepolicystatus) | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -203,6 +210,11 @@ ClusterImagePolicySpec defines a list of images that should be verified
 
 [Back to TOC](#table-of-contents)
 
+## ClusterImagePolicyStatus
+
+ClusterImagePolicyStatus represents the current state of a ClusterImagePolicy.
+
+
 ## ConfigMapReference
 
 ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.

docs/api-types/index.md

@@ -54,12 +54,13 @@ The authorities block defines the rules for discovering and validating signature
 
 ## ClusterImagePolicy
 
-
+ClusterImagePolicy defines the images that go through verification and the authorities used for verification
 
 | Field | Description | Scheme | Required |
 | ----- | ----------- | ------ | -------- |
 | metadata |  | [metav1.ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#objectmeta-v1-meta) | true |
 | spec | Spec holds the desired state of the ClusterImagePolicy (from the client). | [ClusterImagePolicySpec](#clusterimagepolicyspec) | true |
+| status | Status represents the current state of the ClusterImagePolicy. This data may be out of date. | [ClusterImagePolicyStatus](#clusterimagepolicystatus) | false |
 
 [Back to TOC](#table-of-contents)
 
@@ -88,6 +89,11 @@ ClusterImagePolicySpec defines a list of images that should be verified
 
 [Back to TOC](#table-of-contents)
 
+## ClusterImagePolicyStatus
+
+ClusterImagePolicyStatus represents the current state of a ClusterImagePolicy.
+
+
 ## ConfigMapReference
 
 ConfigMapReference is cut&paste from SecretReference, but for the life of me couldn't find one in the public types. If there's one, use it.

pkg/apis/policy/v1alpha1/clusterimagepolicy_conversion.go

@@ -31,6 +31,7 @@ func (c *ClusterImagePolicy) ConvertTo(ctx context.Context, obj apis.Convertible
 	switch sink := obj.(type) {
 	case *v1beta1.ClusterImagePolicy:
 		sink.ObjectMeta = c.ObjectMeta
+		sink.Status.Status = c.Status.DeepCopy().Status
 		return c.Spec.ConvertTo(ctx, &sink.Spec)
 	default:
 		return fmt.Errorf("unknown version, got: %T", sink)
@@ -42,6 +43,7 @@ func (c *ClusterImagePolicy) ConvertFrom(ctx context.Context, obj apis.Convertib
 	switch source := obj.(type) {
 	case *v1beta1.ClusterImagePolicy:
 		c.ObjectMeta = source.ObjectMeta
+		c.Status.Status = source.Status.DeepCopy().Status
 		return c.Spec.ConvertFrom(ctx, &source.Spec)
 	default:
 		return fmt.Errorf("unknown version, got: %T", c)

pkg/apis/policy/v1alpha1/clusterimagepolicy_lifecycle.go

@@ -0,0 +1,93 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1alpha1
+
+import (
+	"knative.dev/pkg/apis"
+)
+
+const (
+	inlineKeysFailedReason     = "InliningKeysFailed"
+	inlinePoliciesFailedReason = "InliningPoliciesFailed"
+	updateCMFailedReason       = "UpdatingConfigMap"
+)
+
+var cipCondSet = apis.NewLivingConditionSet(
+	ClusterImagePolicyConditionKeysInlined,
+	ClusterImagePolicyConditionPoliciesInlined,
+	ClusterImagePolicyConditionCMUpdated,
+)
+
+// GetConditionSet retrieves the condition set for this resource.
+// Implements the KRShaped interface.
+func (*ClusterImagePolicy) GetConditionSet() apis.ConditionSet {
+	return cipCondSet
+}
+
+// IsReady returns if the ClusterImagePolicy was compiled successfully to
+// ConfigMap.
+func (c *ClusterImagePolicy) IsReady() bool {
+	cs := c.Status
+	return cs.ObservedGeneration == c.Generation &&
+		cs.GetCondition(ClusterImagePolicyConditionReady).IsTrue()
+}
+
+// IsFailed returns true if the resource has observed
+// the latest generation and ready is false.
+func (c *ClusterImagePolicy) IsFailed() bool {
+	cs := c.Status
+	return cs.ObservedGeneration == c.Generation &&
+		cs.GetCondition(ClusterImagePolicyConditionReady).IsFalse()
+}
+
+// InitializeConditions sets the initial values to the conditions.
+func (cs *ClusterImagePolicyStatus) InitializeConditions() {
+	cipCondSet.Manage(cs).InitializeConditions()
+}
+
+// MarkInlineKeysFailed surfaces a failure that we were unable to inline
+// the keys (from secrets or from KMS).
+func (cs *ClusterImagePolicyStatus) MarkInlineKeysFailed(msg string) {
+	cipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionKeysInlined, inlineKeysFailedReason, msg)
+}
+
+// MarkInlineKeysOk marks the status saying that the inlining of the keys
+// had no errors.
+func (cs *ClusterImagePolicyStatus) MarkInlineKeysOk() {
+	cipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionKeysInlined)
+}
+
+// MarkInlinePoliciesFailed surfaces a failure that we were unable to inline
+// the policies, either from ConfigMap or from URL.
+func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesFailed(msg string) {
+	cipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionPoliciesInlined, inlinePoliciesFailedReason, msg)
+}
+
+// MarkInlinePoliciesdOk marks the status saying that the inlining of the
+// policies had no errors.
+func (cs *ClusterImagePolicyStatus) MarkInlinePoliciesOk() {
+	cipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionPoliciesInlined)
+}
+
+// MarkCMUpdateFailed surfaces a failure that we were unable to reflect the
+// CIP into the compiled ConfigMap.
+func (cs *ClusterImagePolicyStatus) MarkCMUpdateFailed(msg string) {
+	cipCondSet.Manage(cs).MarkFalse(ClusterImagePolicyConditionCMUpdated, updateCMFailedReason, msg)
+}
+
+// MarkCMUpdated marks the status saying that the ConfigMap has been updated.
+func (cs *ClusterImagePolicyStatus) MarkCMUpdatedOK() {
+	cipCondSet.Manage(cs).MarkTrue(ClusterImagePolicyConditionCMUpdated)
+}