{ "type": "object", "properties": { "spec": { "description": "Spec is the definition for a trust root. This is either a TUF root and remote or local repository. You can also bring your own keys/certs here.", "type": "object", "properties": { "remote": { "description": "Remote specifies initial root of trust & remote mirror.", "type": "object", "properties": { "mirror": { "description": "Mirror is the remote mirror, for example: https://tuf-repo-cdn.sigstore.dev", "type": "string" }, "root": { "description": "Root is the base64 encoded, json trusted initial root.", "type": "string" }, "targets": { "description": "Targets is where the targets live off of the root of the Remote If not specified 'targets' is defaulted.", "type": "string" }, "trustedRootTarget": { "description": "TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.", "type": "string" } }, "additionalProperties": false }, "repository": { "description": "Repository contains the serialized TUF remote repository.", "type": "object", "properties": { "mirrorFS": { "description": "MirrorFS is the base64 tarred, gzipped, and base64 encoded remote repository that can be used for example in air-gap environments. Will not make outbound network connections, and must then be kept up to date in some other manner. The repository must contain metadata as well as targets.", "type": "string" }, "root": { "description": "Root is the base64 encoded, json trusted initial root.", "type": "string" }, "targets": { "description": "Targets is where the targets live off of the root of the Repository above. If not specified 'targets' is defaulted.", "type": "string" }, "trustedRootTarget": { "description": "TrustedRootTarget is the name of the target containing the JSON trusted root. If not specified, `trusted_root.json` is used.", "type": "string" } }, "additionalProperties": false }, "sigstoreKeys": { "description": "SigstoreKeys contains the serialized keys.", "type": "object", "properties": { "certificateAuthorities": { "description": "Trusted certificate authorities (e.g Fulcio).", "type": "array", "items": { "type": "object", "properties": { "certChain": { "description": "The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate.", "type": "string" }, "subject": { "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same.", "type": "object", "properties": { "commonName": { "type": "string" }, "organization": { "type": "string" } }, "additionalProperties": false }, "uri": { "description": "The URI at which the CA can be accessed.", "type": "string" } }, "additionalProperties": false } }, "ctLogs": { "description": "Certificate Transparency Log", "type": "array", "items": { "type": "object", "properties": { "baseURL": { "description": "The base URL which can be used for URLs for clients.", "type": "string" }, "hashAlgorithm": { "description": "/ The hash algorithm used for the Merkle Tree", "type": "string" }, "publicKey": { "description": "PEM encoded public key", "type": "string" } }, "additionalProperties": false } }, "tLogs": { "description": "Rekor log specifications", "type": "array", "items": { "type": "object", "properties": { "baseURL": { "description": "The base URL which can be used for URLs for clients.", "type": "string" }, "hashAlgorithm": { "description": "/ The hash algorithm used for the Merkle Tree", "type": "string" }, "publicKey": { "description": "PEM encoded public key", "type": "string" } }, "additionalProperties": false } }, "timestampAuthorities": { "description": "Trusted timestamping authorities", "type": "array", "items": { "type": "object", "properties": { "certChain": { "description": "The certificate chain for this CA in PEM format. Last entry in this chain is the Root certificate.", "type": "string" }, "subject": { "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same.", "type": "object", "properties": { "commonName": { "type": "string" }, "organization": { "type": "string" } }, "additionalProperties": false }, "uri": { "description": "The URI at which the CA can be accessed.", "type": "string" } }, "additionalProperties": false } } }, "additionalProperties": false } }, "additionalProperties": false }, "status": { "description": "Status represents the current state of the TrustRoot. This data may be out of date.", "type": "object", "properties": { "annotations": { "description": "Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.", "type": "object", "x-kubernetes-preserve-unknown-fields": true }, "conditions": { "description": "Conditions the latest available observations of a resource's current state.", "type": "array", "items": { "type": "object", "required": [ "type", "status" ], "properties": { "lastTransitionTime": { "description": "LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "severity": { "description": "Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type of condition.", "type": "string" } }, "additionalProperties": false } }, "observedGeneration": { "description": "ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.", "type": "integer", "format": "int64" } }, "additionalProperties": false } } }