openshift
diff --git a/‎docs/ClusterImagePolicyAndImagePolicyDesign.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/ClusterImagePolicyAndImagePolicyDesign.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.mod‎
Lines changed: 2 additions & 2 deletions b/‎go.mod‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 4 additions & 4 deletions b/‎go.sum‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎pkg/controller/container-runtime-config/container_runtime_config_controller_test.go‎
Lines changed: 4 additions & 4 deletions b/‎pkg/controller/container-runtime-config/container_runtime_config_controller_test.go‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎pkg/controller/container-runtime-config/helpers.go‎
Lines changed: 1 addition & 1 deletion b/‎pkg/controller/container-runtime-config/helpers.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/controller/container-runtime-config/helpers_test.go‎
Lines changed: 18 additions & 18 deletions b/‎pkg/controller/container-runtime-config/helpers_test.go‎
Lines changed: 18 additions & 18 deletions
diff --git a/‎vendor/github.com/openshift/api/.ci-operator.yaml‎
Lines changed: 1 addition & 1 deletion b/‎vendor/github.com/openshift/api/.ci-operator.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎vendor/github.com/openshift/api/.coderabbit.yaml‎
Lines changed: 28 additions & 0 deletions b/‎vendor/github.com/openshift/api/.coderabbit.yaml‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎vendor/github.com/openshift/api/.golangci.yaml‎
Lines changed: 2 additions & 0 deletions b/‎vendor/github.com/openshift/api/.golangci.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎vendor/github.com/openshift/api/AGENTS.md‎
Lines changed: 13 additions & 5 deletions b/‎vendor/github.com/openshift/api/AGENTS.md‎
Lines changed: 13 additions & 5 deletions
@@ -5,9 +5,9 @@ ClusterImagePolicy and ImagePolicy CRD are managed by ContainerRuntimeConfig con
 Generating corresponding CRI-O configuration files for image signature verification. Rollout ClusterImagePolicy to `/etc/containers/policy.json` for cluster wide configuration. Rollout ImagePolicy to `/etc/crio/policies/<NAMESPACE>.json`. Roll out the registries configuration to `/etc/containers/registries.d/sigstore-registries.yaml`.
 
 ## CRD
-[ClusterImagePolicy CRD](https://github.com/openshift/api/blob/master/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies-TechPreviewNoUpgrade.crd.yaml)
+[ClusterImagePolicy CRD](https://github.com/openshift/api/blob/master/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_clusterimagepolicies.crd.yaml)
 
-[ImagePolicy CRD](https://github.com/openshift/api/blob/master/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies-TechPreviewNoUpgrade.crd.yaml)
+[ImagePolicy CRD](https://github.com/openshift/api/blob/master/config/v1alpha1/zz_generated.crd-manifests/0000_10_config-operator_01_imagepolicies.crd.yaml)
 
 ## Example
 
 
@@ -37,8 +37,8 @@ require (
 	github.com/onsi/gomega v1.36.2
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835
-	github.com/openshift/api v0.0.0-20251124235416-c11dd82e305c
-	github.com/openshift/client-go v0.0.0-20251125141819-b6281947c285
+	github.com/openshift/api v0.0.0-20260107103503-6d35063ca179
+	github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13
 	github.com/openshift/library-go v0.0.0-20251015151611-6fc7a74b67c5
 	github.com/openshift/runtime-utils v0.0.0-20230921210328-7bdb5b9c177b
 	github.com/prometheus/client_golang v1.22.0
 
@@ -609,10 +609,10 @@ github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplU
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835 h1:rkqIIfdYYkasXbF2XKVgh/3f1mhjSQK9By8WtVMgYo8=
 github.com/openshift-eng/openshift-tests-extension v0.0.0-20250916161632-d81c09058835/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M=
-github.com/openshift/api v0.0.0-20251124235416-c11dd82e305c h1:O72YjES6M2/H052TIZnrJVUNySjfOZy1t8w5hRcj6MM=
-github.com/openshift/api v0.0.0-20251124235416-c11dd82e305c/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
-github.com/openshift/client-go v0.0.0-20251125141819-b6281947c285 h1:D3IKKxAR4Fvzi+kpw7Ji8bOfUlhSYjVqMi1efkBrwUU=
-github.com/openshift/client-go v0.0.0-20251125141819-b6281947c285/go.mod h1:58e6xmnj6BK9memKOhU1LVG5b6i88bn3hkYLdqKCPK0=
+github.com/openshift/api v0.0.0-20260107103503-6d35063ca179 h1:5gMFMmuVLAcEnBAjNFql/8L2ZRPBDOxl7nmbjO5klvk=
+github.com/openshift/api v0.0.0-20260107103503-6d35063ca179/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13 h1:6rd4zSo2UaWQcAPZfHK9yzKVqH0BnMv1hqMzqXZyTds=
+github.com/openshift/client-go v0.0.0-20260108185524-48f4ccfc4e13/go.mod h1:YvOmPmV7wcJxpfhTDuFqqs2Xpb3M3ovsM6Qs/i2ptq4=
 github.com/openshift/kubernetes v1.30.1-0.20251028145634-9e794b89909a h1:uaeiYAYOVlXChnGxvsziVTkzaSlBV7h8Y2U2Bc81UKM=
 github.com/openshift/kubernetes v1.30.1-0.20251028145634-9e794b89909a/go.mod h1:w3+IfrXNp5RosdDXg3LB55yijJqR/FwouvVntYHQf0o=
 github.com/openshift/kubernetes/staging/src/k8s.io/api v0.0.0-20251028145634-9e794b89909a h1:hZUZg/qpvT23oUoCkFWe/Q4VNu5zOeqmDOl3f/F6uRk=
 
@@ -220,10 +220,10 @@ func newClusterImagePolicyWithPublicKey(name string, scopes []string, keyData []
 		ObjectMeta: metav1.ObjectMeta{Name: name, UID: types.UID(utilrand.String(5)), Generation: 1},
 		Spec: apicfgv1.ClusterImagePolicySpec{
 			Scopes: imgScopes,
-			Policy: apicfgv1.Policy{
+			Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 				RootOfTrust: apicfgv1.PolicyRootOfTrust{
 					PolicyType: apicfgv1.PublicKeyRootOfTrust,
-					PublicKey: &apicfgv1.PublicKey{
+					PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 						KeyData: keyData,
 					},
 				},
@@ -242,10 +242,10 @@ func newImagePolicyWithPublicKey(name, namespace string, scopes []string, keyDat
 		ObjectMeta: metav1.ObjectMeta{Name: name, Namespace: namespace, UID: types.UID(utilrand.String(5)), Generation: 1},
 		Spec: apicfgv1.ImagePolicySpec{
 			Scopes: imgScopes,
-			Policy: apicfgv1.Policy{
+			Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 				RootOfTrust: apicfgv1.PolicyRootOfTrust{
 					PolicyType: apicfgv1.PublicKeyRootOfTrust,
-					PublicKey: &apicfgv1.PublicKey{
+					PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 						KeyData: keyData,
 					},
 				},
 
@@ -852,7 +852,7 @@ func ownerReferenceImageConfig(imageConfig *apicfgv1.Image) metav1.OwnerReferenc
 	}
 }
 
-func policyItemFromSpec(policy apicfgv1.Policy) (signature.PolicyRequirement, error) {
+func policyItemFromSpec(policy apicfgv1.ImageSigstoreVerificationPolicy) (signature.PolicyRequirement, error) {
 	var (
 		sigstorePolicyRequirement signature.PolicyRequirement
 		signedIdentity            signature.PolicyReferenceMatch
 
@@ -479,10 +479,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test0.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.FulcioCAWithRekorRootOfTrust,
-						FulcioCAWithRekor: &apicfgv1.FulcioCAWithRekor{
+						FulcioCAWithRekor: &apicfgv1.ImagePolicyFulcioCAWithRekorRootOfTrust{
 							FulcioCAData: testFulcioData,
 							RekorKeyData: testRekorKeyData,
 							FulcioSubject: apicfgv1.PolicyFulcioSubject{
@@ -507,10 +507,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test0.com", "test1.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData:      testKeyData,
 							RekorKeyData: testRekorKeyData,
 						},
@@ -531,10 +531,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"a.com/a1/a2", "a.com/a1/a2@sha256:0000000000000000000000000000000000000000000000000000000000000000", "*.example.com", "policy.scope", "foo.example.com/ns/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData:      testKeyData,
 							RekorKeyData: testRekorKeyData,
 						},
@@ -548,10 +548,10 @@ func clusterImagePolicyTestCRs() map[string]apicfgv1.ClusterImagePolicy {
 			},
 			Spec: apicfgv1.ClusterImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test3.com/ns/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PKIRootOfTrust,
-						PKI: &apicfgv1.PKI{
+						PKI: &apicfgv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData:         testCertsData,
 							CertificateAuthorityIntermediatesData: testCertsData,
 							PKICertificateSubject: apicfgv1.PKICertificateSubject{
@@ -579,10 +579,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test0.com", "test2.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -596,10 +596,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"a.com/a1/a2", "a.com/a1/a2@sha256:0000000000000000000000000000000000000000000000000000000000000000", "*.example.com", "policy.scope", "foo.example.com/ns/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -613,10 +613,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test2.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -630,10 +630,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test3.com"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PublicKeyRootOfTrust,
-						PublicKey: &apicfgv1.PublicKey{
+						PublicKey: &apicfgv1.ImagePolicyPublicKeyRootOfTrust{
 							KeyData: testKeyData,
 						},
 					},
@@ -647,10 +647,10 @@ func imagePolicyTestCRs() map[string]apicfgv1.ImagePolicy {
 			},
 			Spec: apicfgv1.ImagePolicySpec{
 				Scopes: []apicfgv1.ImageScope{"test4.com/ns-policy/repo"},
-				Policy: apicfgv1.Policy{
+				Policy: apicfgv1.ImageSigstoreVerificationPolicy{
 					RootOfTrust: apicfgv1.PolicyRootOfTrust{
 						PolicyType: apicfgv1.PKIRootOfTrust,
-						PKI: &apicfgv1.PKI{
+						PKI: &apicfgv1.ImagePolicyPKIRootOfTrust{
 							CertificateAuthorityRootsData:         testCertsData,
 							CertificateAuthorityIntermediatesData: testCertsData,
 							PKICertificateSubject: apicfgv1.PKICertificateSubject{
Original file line number	Diff line number	Diff line change
`@@ -852,7 +852,7 @@ func ownerReferenceImageConfig(imageConfig *apicfgv1.Image) metav1.OwnerReferenc`
`852`	`852`	`}`
`853`	`853`	`}`
`854`	`854`
`855`		`-func policyItemFromSpec(policy apicfgv1.Policy) (signature.PolicyRequirement, error) {`
	`855`	`+func policyItemFromSpec(policy apicfgv1.ImageSigstoreVerificationPolicy) (signature.PolicyRequirement, error) {`
`856`	`856`	`var (`
`857`	`857`	`sigstorePolicyRequirement signature.PolicyRequirement`
`858`	`858`	`signedIdentity signature.PolicyReferenceMatch`