Require CA cert configmap ref for each SignatureStore URL

config/v1/0000_00_cluster-version-operator_01_clusterversion-Default.crd.yaml

@@ -77,6 +77,7 @@ spec:
                           - DeploymentConfig
                           - ImageRegistry
                           - OperatorLifecycleManager
+                          - CloudCredential
                       x-kubernetes-list-type: atomic
                     baselineCapabilitySet:
                       description: baselineCapabilitySet selects an initial set of optional capabilities to enable, which can be extended via additionalEnabledCapabilities.  If unset, the cluster will choose a default, and the default may change over time. The current default is vCurrent.
@@ -213,6 +214,7 @@ spec:
                           - DeploymentConfig
                           - ImageRegistry
                           - OperatorLifecycleManager
+                          - CloudCredential
                       x-kubernetes-list-type: atomic
                     knownCapabilities:
                       description: knownCapabilities lists all the capabilities known to the current cluster.
@@ -234,6 +236,7 @@ spec:
                           - DeploymentConfig
                           - ImageRegistry
                           - OperatorLifecycleManager
+                          - CloudCredential
                       x-kubernetes-list-type: atomic
                 conditionalUpdates:
                   description: conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified.

config/v1/0000_00_cluster-version-operator_01_clusterversion-TechPreviewNoUpgrade.crd.yaml

@@ -155,15 +155,33 @@ spec:
                     - name
                   x-kubernetes-list-type: map
                 signatureStores:
-                  description: "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured."
+                  description: "signatureStores contains the upstream URIs to verify release signatures and optional reference to a config map by name containing the PEM-encoded CA bundle. \n By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n A maximum of 32 signature stores may be configured."
                   type: array
                   maxItems: 32
                   items:
-                    type: string
-                  x-kubernetes-list-type: set
-                  x-kubernetes-validations:
-                    - rule: self.all(x, isURL(x))
-                      message: signatureStores must contain only valid absolute URLs per the Go net/url standard
+                    description: SignatureStore represents the URL of custom Signature Store
+                    type: object
+                    required:
+                      - url
+                    properties:
+                      ca:
+                        description: ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. It is used as a trust anchor to validate the TLS certificate presented by the remote server. The key "ca.crt" is used to locate the data. If specified and the config map or expected key is not found, the signature store is not honored. If the specified ca data is not valid, the signature store is not honored. If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots. The namespace for this config map is openshift-config.
+                        type: object
+                        required:
+                          - name
+                        properties:
+                          name:
+                            description: name is the metadata.name of the referenced config map
+                            type: string
+                      url:
+                        description: url contains the upstream custom signature store URL. url should be a valid absolute http/https URI of an upstream signature store as per rfc1738. This must be provided and cannot be empty.
+                        type: string
+                        x-kubernetes-validations:
+                          - rule: isURL(self)
+                            message: url must be a valid absolute URL
+                  x-kubernetes-list-map-keys:
+                    - url
+                  x-kubernetes-list-type: map
                 upstream:
                   description: upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.
                   type: string

config/v1/techpreview.clusterversion.testsuite.yaml

@@ -169,40 +169,40 @@ tests:
       spec:
         clusterID: foo
         signatureStores: 
-          - "https://osus.ocp.com"
+          - url: "https://osus.ocp.com"
     expected: |
       apiVersion: config.openshift.io/v1
       kind: ClusterVersion
       spec:
         clusterID: foo
         signatureStores: 
-          - "https://osus.ocp.com"
+          - url: "https://osus.ocp.com"
   - name: Should be able to set multiple custom signature store
     initial: |
       apiVersion: config.openshift.io/v1
       kind: ClusterVersion
       spec:
         clusterID: foo
         signatureStores: 
-          - "https://osus1.ocp.com"
-          - "https://osus2.ocp.com"
+          - url: "https://osus1.ocp.com"
+          - url: "https://osus2.ocp.com"
     expected: |
       apiVersion: config.openshift.io/v1
       kind: ClusterVersion
       spec:
         clusterID: foo
         signatureStores: 
-          - "https://osus1.ocp.com"
-          - "https://osus2.ocp.com"
+          - url: "https://osus1.ocp.com"
+          - url: "https://osus2.ocp.com"
   - name: Invalid custom signature store should throw error
     initial: |
       apiVersion: config.openshift.io/v1
       kind: ClusterVersion
       spec:
         clusterID: foo
         signatureStores: 
-          - "osus1.ocp.com"
-    expectedError: "signatureStores must contain only valid absolute URLs per the Go net/url standard"
+          - url: "osus1.ocp.com"
+    expectedError: "url must be a valid absolute URL"
   - name: Should be able to unset the signature stores
     initial: |
       apiVersion: config.openshift.io/v1

config/v1/types_cluster_version.go

@@ -88,22 +88,23 @@ type ClusterVersionSpec struct {
 	// +optional
 	Capabilities *ClusterVersionCapabilitiesSpec `json:"capabilities,omitempty"`
 
-	// signatureStores contains the upstream URIs to verify release signatures.
+	// signatureStores contains the upstream URIs to verify release signatures and optional
+	// reference to a config map by name containing the PEM-encoded CA bundle.
+	//
 	// By default, CVO will use existing signature stores if this property is empty.
 	// The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature
 	// in these stores in parallel only when local ConfigMaps did not include a valid signature.
 	// Validation will fail if none of the signature stores reply with valid signature before timeout.
 	// Setting signatureStores will replace the default signature stores with custom signature stores.
 	// Default stores can be used with custom signature stores by adding them manually.
 	//
-	// Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738.
 	// A maximum of 32 signature stores may be configured.
-	// +kubebuilder:validation:XValidation:rule="self.all(x, isURL(x))",message="signatureStores must contain only valid absolute URLs per the Go net/url standard"
 	// +kubebuilder:validation:MaxItems=32
 	// +openshift:enable:FeatureSets=TechPreviewNoUpgrade
-	// +listType=set
+	// +listType=map
+	// +listMapKey=url
 	// +optional
-	SignatureStores []string `json:"signatureStores"`
+	SignatureStores []SignatureStore `json:"signatureStores"`
 
 	// overrides is list of overides for components that are managed by
 	// cluster version operator. Marking a component unmanaged will prevent
@@ -785,3 +786,26 @@ type ClusterVersionList struct {
 
 	Items []ClusterVersion `json:"items"`
 }
+
+// SignatureStore represents the URL of custom Signature Store
+type SignatureStore struct {
+
+	// url contains the upstream custom signature store URL.
+	// url should be a valid absolute http/https URI of an upstream signature store as per rfc1738.
+	// This must be provided and cannot be empty.
+	//
+	// +kubebuilder:validation:Type=string
+	// +kubebuilder:validation:XValidation:rule="isURL(self)",message="url must be a valid absolute URL"
+	// +kubebuilder:validation:Required
+	URL string `json:"url"`
+
+	// ca is an optional reference to a config map by name containing the PEM-encoded CA bundle.
+	// It is used as a trust anchor to validate the TLS certificate presented by the remote server.
+	// The key "ca.crt" is used to locate the data.
+	// If specified and the config map or expected key is not found, the signature store is not honored.
+	// If the specified ca data is not valid, the signature store is not honored.
+	// If empty, we fall back to the CA configured via Proxy, which is appended to the default system roots.
+	// The namespace for this config map is openshift-config.
+	// +optional
+	CA ConfigMapNameReference `json:"ca"`
+}