chore: regroup verification settings

cmd/trustedpods/deploy.go

@@ -226,23 +226,23 @@ var deployPodCmd = &cobra.Command{
 			fmt.Fprintf(cmd.ErrOrStderr(), "warning: %v\n", err)
 		}
 
-		if pod.PublicVerifiability == true && pod.VerificationHostPath == "" {
+		if pod.VerificationSettings.PublicVerifiability == true && pod.VerificationSettings.VerificationHostPath == "" {
 			for _, image := range pod.Containers {
 				for _, p := range image.Ports {
 					switch ep := p.ExposedPort.(type) {
 					case *pb.Container_Port_HostHttpHost:
-						pod.VerificationHostPath = ep.HostHttpHost + ".tpodinfo"
+						pod.VerificationSettings.VerificationHostPath = ep.HostHttpHost + ".tpodinfo"
 						break
 					}
 				}
-				if pod.VerificationHostPath != "" {
+				if pod.VerificationSettings.VerificationHostPath != "" {
 					break
 				}
 			}
-			if pod.VerificationHostPath == "" {
+			if pod.VerificationSettings.VerificationHostPath == "" {
 				return fmt.Errorf("Public verifiability is set but no verification host path is available or could be derived")
 			}
-			fmt.Printf("pod manifest verification host path set to:%v\n", pod.VerificationHostPath)
+			fmt.Printf("pod manifest verification host path set to:%v\n", pod.VerificationSettings.VerificationHostPath)
 		}
 
 		err = publisher.FundPaymentChannel(ethClient, publisherAuth, deployment, fundsInt, unlockTimeInt, debugMintFunds)

pkg/kubernetes/namespaces.go

@@ -38,7 +38,7 @@ func NewTrustedPodsNamespace(name string, pod *pb.Pod, paymentChannel *pb.Paymen
 		},
 	}
 	// force container image verification
-	if pod.PublicVerifiability {
+	if pod.VerificationSettings.ForcePolicy {
 		log.Println("Image verification is Set")
 		namespace.Labels[SigstorePolicy] = "true"
 	}

pkg/kubernetes/pods.go

@@ -111,7 +111,7 @@ func ApplyPodRequest(
 
 	localhostAliases := corev1.HostAlias{IP: "127.0.0.1"}
 
-	if podManifest.PublicVerifiability {
+	if podManifest.VerificationSettings.PublicVerifiability {
 		// used only to use the routing from keda ingress controller
 		routeHttpsoName := "route-hso"
 		routeHttpso := NewHttpSo(namespace, routeHttpsoName)
@@ -129,7 +129,7 @@ func ApplyPodRequest(
 		routeHttpso.Spec.ScaleTargetRef.Service = serviceProxy.ObjectMeta.Name
 		routeHttpso.Spec.ScaleTargetRef.Port = 9999
 		routeHttpso.Spec.ScaleTargetRef.APIVersion = "apps/v1"
-		routeHttpso.Spec.Hosts = []string{podManifest.VerificationHostPath}
+		routeHttpso.Spec.Hosts = []string{podManifest.VerificationSettings.VerificationHostPath}
 		routeHttpso.Spec.Replicas = &kedahttpv1alpha1.ReplicaStruct{Min: ptr.Int32(1), Max: ptr.Int32(1)}
 		proxyContainer := corev1.Container{
 			Name:  "proxy",
@@ -150,7 +150,7 @@ func ApplyPodRequest(
 
 	annotationValues := []AnnotationValue{}
 	for i, container := range podManifest.Containers {
-		if container.Image.VerificationDetails != nil {
+		if podManifest.VerificationSettings.ForcePolicy == true && container.Image.VerificationDetails != nil {
 			policyName := fmt.Sprintf("policy-%v-%v", podId, i)
 			sigstorePolicy := &policy.ClusterImagePolicy{
 				TypeMeta: metav1.TypeMeta{Kind: "ClusterImagePolicy"}, ObjectMeta: metav1.ObjectMeta{Name: policyName},

pkg/proto-ts/pod_pb.ts

@@ -33,14 +33,9 @@ export class Pod extends Message<Pod> {
   keyPair?: KeyPair;
 
   /**
-   * @generated from field: bool PublicVerifiability = 5;
+   * @generated from field: apocryph.proto.v0.pod.VerificationSettings verificationSettings = 5;
    */
-  PublicVerifiability = false;
-
-  /**
-   * @generated from field: string VerificationHostPath = 6;
-   */
-  VerificationHostPath = "";
+  verificationSettings?: VerificationSettings;
 
   constructor(data?: PartialMessage<Pod>) {
     super();
@@ -54,8 +49,7 @@ export class Pod extends Message<Pod> {
     { no: 2, name: "volumes", kind: "message", T: Volume, repeated: true },
     { no: 3, name: "replicas", kind: "message", T: Replicas },
     { no: 4, name: "keyPair", kind: "message", T: KeyPair },
-    { no: 5, name: "PublicVerifiability", kind: "scalar", T: 8 /* ScalarType.BOOL */ },
-    { no: 6, name: "VerificationHostPath", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+    { no: 5, name: "verificationSettings", kind: "message", T: VerificationSettings },
   ]);
 
   static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): Pod {
@@ -789,3 +783,52 @@ export class KeyPair extends Message<KeyPair> {
   }
 }
 
+/**
+ * @generated from message apocryph.proto.v0.pod.VerificationSettings
+ */
+export class VerificationSettings extends Message<VerificationSettings> {
+  /**
+   * @generated from field: bool ForcePolicy = 1;
+   */
+  ForcePolicy = false;
+
+  /**
+   * @generated from field: bool PublicVerifiability = 2;
+   */
+  PublicVerifiability = false;
+
+  /**
+   * @generated from field: string VerificationHostPath = 3;
+   */
+  VerificationHostPath = "";
+
+  constructor(data?: PartialMessage<VerificationSettings>) {
+    super();
+    proto3.util.initPartial(data, this);
+  }
+
+  static readonly runtime: typeof proto3 = proto3;
+  static readonly typeName = "apocryph.proto.v0.pod.VerificationSettings";
+  static readonly fields: FieldList = proto3.util.newFieldList(() => [
+    { no: 1, name: "ForcePolicy", kind: "scalar", T: 8 /* ScalarType.BOOL */ },
+    { no: 2, name: "PublicVerifiability", kind: "scalar", T: 8 /* ScalarType.BOOL */ },
+    { no: 3, name: "VerificationHostPath", kind: "scalar", T: 9 /* ScalarType.STRING */ },
+  ]);
+
+  static fromBinary(bytes: Uint8Array, options?: Partial<BinaryReadOptions>): VerificationSettings {
+    return new VerificationSettings().fromBinary(bytes, options);
+  }
+
+  static fromJson(jsonValue: JsonValue, options?: Partial<JsonReadOptions>): VerificationSettings {
+    return new VerificationSettings().fromJson(jsonValue, options);
+  }
+
+  static fromJsonString(jsonString: string, options?: Partial<JsonReadOptions>): VerificationSettings {
+    return new VerificationSettings().fromJsonString(jsonString, options);
+  }
+
+  static equals(a: VerificationSettings | PlainMessage<VerificationSettings> | undefined, b: VerificationSettings | PlainMessage<VerificationSettings> | undefined): boolean {
+    return proto3.util.equals(VerificationSettings, a, b);
+  }
+}
+