openshift · sanchezl · Dec 15, 2025 · Dec 17, 2025 · Dec 15, 2025
diff --git a/go.mod b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/onsi/gomega v1.36.2
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835
-	github.com/openshift/api v0.0.0-20251124235416-c11dd82e305c
+	github.com/openshift/api v0.0.0-20251204164930-cd2e40c5883a
 	github.com/openshift/client-go v0.0.0-20251125141819-b6281947c285
 	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
 	github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b
@@ -454,3 +454,7 @@ replace (
 	k8s.io/sample-cli-plugin => github.com/openshift/kubernetes/staging/src/k8s.io/sample-cli-plugin v0.0.0-20251028145634-9e794b89909a
 	k8s.io/sample-controller => github.com/openshift/kubernetes/staging/src/k8s.io/sample-controller v0.0.0-20251028145634-9e794b89909a
 )
+
+replace github.com/openshift/api => github.com/sanchezl/api v0.0.0-20251217211515-65b693c2242f
+
+replace github.com/openshift/client-go => github.com/sanchezl/client-go v0.0.0-20251217212404-03b3eb44269f
diff --git a/go.sum b/go.sum
@@ -609,10 +609,6 @@ github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplU
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835 h1:rkqIIfdYYkasXbF2XKVgh/3f1mhjSQK9By8WtVMgYo8=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
-github.com/openshift/api v0.0.0-20251124235416-c11dd82e305c h1:O72YjES6M2/H052TIZnrJVUNySjfOZy1t8w5hRcj6MM=
-github.com/openshift/api v0.0.0-20251124235416-c11dd82e305c/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
-github.com/openshift/client-go v0.0.0-20251125141819-b6281947c285 h1:D3IKKxAR4Fvzi+kpw7Ji8bOfUlhSYjVqMi1efkBrwUU=
-github.com/openshift/client-go v0.0.0-20251125141819-b6281947c285/go.mod h1:58e6xmnj6BK9memKOhU1LVG5b6i88bn3hkYLdqKCPK0=
 github.com/openshift/kubernetes v1.30.1-0.20251028145634-9e794b89909a h1:uaeiYAYOVlXChnGxvsziVTkzaSlBV7h8Y2U2Bc81UKM=
 github.com/openshift/kubernetes v1.30.1-0.20251028145634-9e794b89909a/go.mod h1:w3+IfrXNp5RosdDXg3LB55yijJqR/FwouvVntYHQf0o=
 github.com/openshift/kubernetes/staging/src/k8s.io/api v0.0.0-20251028145634-9e794b89909a h1:hZUZg/qpvT23oUoCkFWe/Q4VNu5zOeqmDOl3f/F6uRk=
@@ -736,6 +732,10 @@ github.com/ryanrolds/sqlclosecheck v0.5.1 h1:dibWW826u0P8jNLsLN+En7+RqWWTYrjCB9f
 github.com/ryanrolds/sqlclosecheck v0.5.1/go.mod h1:2g3dUjoS6AL4huFdv6wn55WpLIDjY7ZgUR4J8HOO/XQ=
 github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
 github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
+github.com/sanchezl/api v0.0.0-20251217211515-65b693c2242f h1:xhRLt8q0qVX0Pq+K0RotL4uaBAU//Vu+WTWK2IRfnT8=
+github.com/sanchezl/api v0.0.0-20251217211515-65b693c2242f/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/sanchezl/client-go v0.0.0-20251217212404-03b3eb44269f h1:73a1UefA/Iw7rKJcupjDPvxLJJR1H7Rfw+JjEnElcgw=
+github.com/sanchezl/client-go v0.0.0-20251217212404-03b3eb44269f/go.mod h1:yP3OUebJD/hLlvvmZ78aQeR9ISZ1L87gIvzzfLCNo8Y=
 github.com/sanposhiho/wastedassign/v2 v2.1.0 h1:crurBF7fJKIORrV85u9UUpePDYGWnwvv3+A96WvwXT0=
 github.com/sanposhiho/wastedassign/v2 v2.1.0/go.mod h1:+oSmSC+9bQ+VUAxA66nBb0Z7N8CK7mscKTDYC6aIek4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=

diff --git a/pkg/controller/container-runtime-config/container_runtime_config_controller_test.go b/pkg/controller/container-runtime-config/container_runtime_config_controller_test.go
@@ -220,10 +220,10 @@ func newClusterImagePolicyWithPublicKey(name string, scopes []string, keyData []
 		ObjectMeta: metav1.ObjectMeta{Name: name, UID: types.UID(utilrand.String(5)), Generation: 1},
 		Spec: apicfgv1.ClusterImagePolicySpec{
 			Scopes: imgScopes,
-			Policy: apicfgv1.Policy{
+			Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 				RootOfTrust: apicfgv1.PolicyRootOfTrust{
 					PolicyType: apicfgv1.PublicKeyRootOfTrust,
-					PublicKey: &apicfgv1.PublicKey{
+					PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 						KeyData: keyData,
 					},
 				},
@@ -242,10 +242,10 @@ func newImagePolicyWithPublicKey(name, namespace string, scopes []string, keyDat
 		ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace, UID: types.UID(utilrand.String(5)), Generation: 1},
 		Spec: apicfgv1.ImagePolicySpec{
 			Scopes: imgScopes,
-			Policy: apicfgv1.Policy{
+			Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 				RootOfTrust: apicfgv1.PolicyRootOfTrust{
 					PolicyType: apicfgv1.PublicKeyRootOfTrust,
-					PublicKey: &apicfgv1.PublicKey{
+					PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 						KeyData: keyData,
 					},
 				},

diff --git a/pkg/controller/container-runtime-config/helpers.go b/pkg/controller/container-runtime-config/helpers.go
@@ -852,7 +852,7 @@ func ownerReferenceImageConfig(imageConfig *apicfgv1.Image) metav1.OwnerReferenc
 	}
 }
 
-func policyItemFromSpec(policy apicfgv1.Policy) (signature.PolicyRequirement, error) {
+func policyItemFromSpec(policy apicfgv1.ImageSigstoreVerificationPolicy) (signature.PolicyRequirement, error) {
 	var (
 		sigstorePolicyRequirement signature.PolicyRequirement
 		signedIdentity            signature.PolicyReferenceMatch

diff --git a/pkg/controller/container-runtime-config/helpers_test.go b/pkg/controller/container-runtime-config/helpers_test.go
@@ -479,10 +479,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test0.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.FulcioCAWithRekorRootOfTrust,
-						FulcioCAWithRekor: &apicfgv1.FulcioCAWithRekor{
+						FulcioCAWithRekor: &apicfgv1.ImagePolicyFulcioCAWithRekorRootOfTrust{
 							FulcioCAData: testFulcioData,
 							RekorKeyData: testRekorKeyData,
 							FulcioSubject: apicfgv1.PolicyFulcioSubject{
@@ -507,10 +507,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test0.com", "test1.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData:      testKeyData,
 							RekorKeyData: testRekorKeyData,
 						},
@@ -531,10 +531,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"a.com/a1/a2", "a.com/a1/a2@sha256:0000000000000000000000000000000000000000000000000000000000000000", "*.example.com", "policy.scope", "foo.example.com/ns/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData:      testKeyData,
 							RekorKeyData: testRekorKeyData,
 						},
@@ -548,10 +548,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test3.com/ns/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PKIRootOfTrust,
-						PKI: &apicfgv1.PKI{
+						PKI: &apicfgv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData:         testCertsData,
 							CertificateAuthorityIntermediatesData: testCertsData,
 							PKICertificateSubject: apicfgv1.PKICertificateSubject{
@@ -579,10 +579,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test0.com", "test2.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -596,10 +596,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"a.com/a1/a2", "a.com/a1/a2@sha256:0000000000000000000000000000000000000000000000000000000000000000", "*.example.com", "policy.scope", "foo.example.com/ns/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -613,10 +613,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test2.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -630,10 +630,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test3.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -647,10 +647,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test4.com/ns-policy/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PKIRootOfTrust,
-						PKI: &apicfgv1.PKI{
+						PKI: &apicfgv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData:         testCertsData,
 							CertificateAuthorityIntermediatesData: testCertsData,
 							PKICertificateSubject: apicfgv1.PKICertificateSubject{

diff --git a/vendor/github.com/openshift/api/AGENTS.md b/vendor/github.com/openshift/api/AGENTS.md
diff --git a/vendor/github.com/openshift/api/config/v1/register.go b/vendor/github.com/openshift/api/config/v1/register.go
diff --git a/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_cluster_image_policy.go
diff --git a/vendor/github.com/openshift/api/config/v1/types_feature.go b/vendor/github.com/openshift/api/config/v1/types_feature.go
diff --git a/vendor/github.com/openshift/api/config/v1/types_image_policy.go b/vendor/github.com/openshift/api/config/v1/types_image_policy.go