[cosigned] Rename cosigned references to policy-controller

.github/workflows/build.yaml

@@ -58,7 +58,7 @@ jobs:
         run: gcloud auth configure-docker --quiet
       - name: container
         run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container
-      - name: cosigned
-        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-cosigned
+      - name: policy-controller
+        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-policy-controller
       - name: sget
         run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-sget

.github/workflows/kind-cluster-image-policy-with-attestations.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Test cosigned with ClusterImagePolicy with attestations
+name: Test policy-controller with ClusterImagePolicy with attestations
 
 on:
   pull_request:
@@ -40,7 +40,7 @@ jobs:
 
     env:
       KNATIVE_VERSION: "1.1.0"
-      KO_DOCKER_REPO: "registry.local:5000/cosigned"
+      KO_DOCKER_REPO: "registry.local:5000/policy-controller"
       SCAFFOLDING_RELEASE_VERSION: "v0.2.8"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
@@ -74,17 +74,17 @@ jobs:
     - name: Install cluster + cosign
       uses: sigstore/scaffolding/actions/setup@main
 
-    - name: Install cosigned
+    - name: Install policy-controller
       env:
         GIT_HASH: ${{ github.sha }}
         GIT_VERSION: ci
         LDFLAGS: ""
-        COSIGNED_YAML: cosigned-e2e.yaml
-        KO_PREFIX: registry.local:5000/cosigned
+        COSIGNED_YAML: policy-controller-e2e.yaml
+        KO_PREFIX: registry.local:5000/policy-controller
         COSIGNED_ARCHS: linux/amd64
       run: |
-        make ko-cosigned
-        kubectl apply -f cosigned-e2e.yaml
+        make ko-policy-controller
+        kubectl apply -f policy-controller-e2e.yaml
 
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook

.github/workflows/kind-cluster-image-policy.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Test cosigned with ClusterImagePolicy
+name: Test policy-controller with ClusterImagePolicy
 
 on:
   pull_request:
@@ -40,7 +40,7 @@ jobs:
 
     env:
       KNATIVE_VERSION: "1.1.0"
-      KO_DOCKER_REPO: "registry.local:5000/cosigned"
+      KO_DOCKER_REPO: "registry.local:5000/policy-controller"
       SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w
@@ -74,17 +74,17 @@ jobs:
     - name: Install cluster + cosign
       uses: sigstore/scaffolding/actions/setup@main
 
-    - name: Install cosigned
+    - name: Install policy-controller
       env:
         GIT_HASH: ${{ github.sha }}
         GIT_VERSION: ci
         LDFLAGS: ""
-        COSIGNED_YAML: cosigned-e2e.yaml
-        KO_PREFIX: registry.local:5000/cosigned
+        COSIGNED_YAML: policy-controller-e2e.yaml
+        KO_PREFIX: registry.local:5000/policy-controller
         COSIGNED_ARCHS: linux/amd64
       run: |
-        make ko-cosigned
-        kubectl apply -f cosigned-e2e.yaml
+        make ko-policy-controller
+        kubectl apply -f policy-controller-e2e.yaml
 
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook

.github/workflows/kind-e2e-cosigned.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Cosigned KinD E2E
+name: Policy Controller KinD E2E
 
 on:
   pull_request:
@@ -40,7 +40,7 @@ jobs:
       REGISTRY_PORT: 5000
       INSECURE_REGISTRY_NAME: insecure-registry.notlocal
       INSECURE_REGISTRY_PORT: 5001
-      KO_DOCKER_REPO: registry.local:5000/cosigned
+      KO_DOCKER_REPO: registry.local:5000/policy-controller
 
     steps:
     - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.4.0
@@ -97,17 +97,17 @@ jobs:
         # local registry, even when pushing $INSECURE_REGISTRY_NAME:$INSECURE_REGISTRY_NAME/some/image
         sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
 
-    - name: Install cosigned
+    - name: Install policy-controller
       env:
         GIT_HASH: ${{ github.sha }}
         GIT_VERSION: ci
         LDFLAGS: ""
-        COSIGNED_YAML: cosigned-e2e.yaml
-        KO_PREFIX: registry.local:5000/cosigned
+        COSIGNED_YAML: policy-controller-e2e.yaml
+        KO_PREFIX: registry.local:5000/policy-controller
         COSIGNED_ARCHS: linux/amd64
       run: |
-        make ko-cosigned
-        kubectl apply -f cosigned-e2e.yaml
+        make ko-policy-controller
+        kubectl apply -f policy-controller-e2e.yaml
 
         # Wait for the webhook to come up and become Ready
         kubectl rollout status --timeout 5m --namespace cosign-system deployments/webhook
@@ -121,9 +121,9 @@ jobs:
       run: |
         ./test/e2e_test_policy_crd.sh
 
-    - name: Run Cosigned Tests
+    - name: Run Policy Controller Tests
       run: |
-        ./test/e2e_test_cosigned.sh
+        ./test/e2e_test_policy_controller.sh
 
     - name: Collect diagnostics
       if: ${{ failure() }}

.github/workflows/kind-verify-attestation.yaml

@@ -40,7 +40,7 @@ jobs:
 
     env:
       KNATIVE_VERSION: "1.1.0"
-      KO_DOCKER_REPO: "registry.local:5000/cosigned"
+      KO_DOCKER_REPO: "registry.local:5000/policy-controller"
       SCAFFOLDING_RELEASE_VERSION: "v0.2.2"
       GO111MODULE: on
       GOFLAGS: -ldflags=-s -ldflags=-w

.gitignore

@@ -28,7 +28,7 @@
 bin*
 dist/
 cosignImagerefs
-cosignedImagerefs
+policyControllerImagerefs
 sgetImagerefs
 policyImagerefs
 

.ko.yaml

@@ -32,7 +32,7 @@ builds:
   - -extldflags "-static"
   - "{{ .Env.LDFLAGS }}"
 
-- id: cosigned
+- id: policy-controller
   dir: .
   main: ./cmd/cosign/webhook
   env:

Makefile

@@ -91,9 +91,9 @@ cosign: $(SRCS)
 cosign-pivkey-pkcs11key: $(SRCS)
 	CGO_ENABLED=1 go build -trimpath -tags=pivkey,pkcs11key -ldflags "$(LDFLAGS)" -o cosign ./cmd/cosign
 
-## Build cosigned binary
-.PHONY: cosigned
-cosigned: policy-webhook
+## Build policy-controller binary
+.PHONY: policy-controller
+policy-controller: policy-webhook
 	CGO_ENABLED=0 go build -trimpath -ldflags "$(LDFLAGS)" -o $@ ./cmd/cosign/webhook
 
 .PHONY: policy-webhook
@@ -128,7 +128,7 @@ test:
 
 clean:
 	rm -rf cosign
-	rm -rf cosigned
+	rm -rf policy-controller
 	rm -rf sget
 	rm -rf dist/
 
@@ -151,7 +151,7 @@ endef
 # ko build
 ##########
 .PHONY: ko
-ko: ko-cosign ko-sget ko-cosigned
+ko: ko-cosign ko-sget ko-policy-controller
 
 .PHONY: ko-cosign
 ko-cosign:
@@ -171,13 +171,13 @@ ko-sget:
 		--image-refs sgetImagerefs \
 		github.com/sigstore/cosign/cmd/sget
 
-.PHONY: ko-cosigned
-ko-cosigned: kustomize-cosigned ko-policy-webhook
-	# cosigned
+.PHONY: ko-policy-controller
+ko-policy-controller: kustomize-policy-controller ko-policy-webhook
+	# policy-controller
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) \
-	KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/cosigned ko resolve --bare \
+	KOCACHE=$(KOCACHE_PATH) KO_DOCKER_REPO=$(KO_PREFIX)/policy-controller ko resolve --bare \
 		--platform=$(COSIGNED_ARCHS) --tags $(GIT_VERSION) --tags $(GIT_HASH)$(LATEST_TAG) \
-		--image-refs cosignedImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML)
+		--image-refs policyControllerImagerefs --filename config/webhook.yaml >> $(COSIGNED_YAML)
 
 ko-policy-webhook:
 	# policy_webhook
@@ -212,8 +212,8 @@ ko-apply:
 	LDFLAGS="$(LDFLAGS)" GIT_HASH=$(GIT_HASH) GIT_VERSION=$(GIT_VERSION) ko apply -Bf config/
 
 
-.PHONY: kustomize-cosigned
-kustomize-cosigned:
+.PHONY: kustomize-policy-controller
+kustomize-policy-controller:
 	kustomize build config/ > $(COSIGNED_YAML)
 
 ##################

cmd/cosign/policy_webhook/main.go

@@ -33,9 +33,9 @@ import (
 	"knative.dev/pkg/webhook/resourcesemantics/validation"
 	"sigs.k8s.io/release-utils/version"
 
-	"github.com/sigstore/cosign/pkg/apis/cosigned"
-	"github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
-	"github.com/sigstore/cosign/pkg/apis/cosigned/v1beta1"
+	"github.com/sigstore/cosign/pkg/apis/policy"
+	"github.com/sigstore/cosign/pkg/apis/policy/v1alpha1"
+	"github.com/sigstore/cosign/pkg/apis/policy/v1beta1"
 	"github.com/sigstore/cosign/pkg/reconciler/clusterimagepolicy"
 
 	// Register the provider-specific plugins
@@ -52,15 +52,15 @@ var (
 	// with the resource types, namespace selectors, CABindle and service path.
 	// If this changes, you must also change:
 	//    ./config/501-policy-webhook-configurations.yaml
-	//    https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/policy-webhook/policy_webhook_configurations.yaml
+	//    https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
 	mutatingWebhookName = flag.String("mutating-webhook-name", "defaulting.clusterimagepolicy.sigstore.dev", "The name of the mutating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
 	// validatingWebhookName holds the name of the validating webhook configuration
 	// resource dispatching admission requests to policy-webhook.
 	// It is also the name of the webhook which is injected by the controller
 	// with the resource types, namespace selectors, CABindle and service path.
 	// If this changes, you must also change:
 	//    ./config/501-policy-webhook-configurations.yaml
-	//    https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/policy-webhook/policy_webhook_configurations.yaml
+	//    https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/policy-webhook/policy_webhook_configurations.yaml
 	validatingWebhookName = flag.String("validating-webhook-name", "validating.clusterimagepolicy.sigstore.dev", "The name of the validating webhook configuration as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-webhook.")
 )
 
@@ -135,7 +135,7 @@ func newConversionController(ctx context.Context, cmw configmap.Watcher) *contro
 		// Specify the types of custom resource definitions that should be converted
 		map[schema.GroupKind]conversion.GroupKindConversion{
 			v1beta1.Kind("ClusterImagePolicy"): {
-				DefinitionName: cosigned.ClusterImagePolicyResource.String(),
+				DefinitionName: policy.ClusterImagePolicyResource.String(),
 				HubVersion:     v1alpha1GroupVersion,
 				Zygotes: map[string]conversion.ConvertibleObject{
 					v1alpha1GroupVersion: &v1alpha1.ClusterImagePolicy{},

cmd/cosign/webhook/main.go

@@ -45,14 +45,14 @@ import (
 var secretName = flag.String("secret-name", "", "The name of the secret in the webhook's namespace that holds the public key for verification.")
 
 // webhookName holds the name of the validating and mutating webhook
-// configuration resources dispatching admission requests to cosigned.
+// configuration resources dispatching admission requests to policy-controller.
 // It is also the name of the webhook which is injected by the controller
 // with the resource types, namespace selectors, CABindle and service path.
 // If this changes, you must also change:
 //    ./config/500-webhook-configuration.yaml
-//    https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/webhook/webhook_mutating.yaml
-//    https://github.com/sigstore/helm-charts/blob/main/charts/cosigned/templates/webhook/webhook_validating.yaml
-var webhookName = flag.String("webhook-name", "cosigned.sigstore.dev", "The name of the validating and mutating webhook configurations as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to cosigned.")
+//    https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_mutating.yaml
+//    https://github.com/sigstore/helm-charts/blob/main/charts/policy-controller/templates/webhook/webhook_validating.yaml
+var webhookName = flag.String("webhook-name", "policy.sigstore.dev", "The name of the validating and mutating webhook configurations as well as the webhook name that is automatically configured, if exists, with different rules and client settings setting how the admission requests to be dispatched to policy-controller.")
 
 func main() {
 	opts := webhook.Options{
@@ -69,7 +69,7 @@ func main() {
 	vJSON, _ := v.JSONString()
 	log.Printf("%v", vJSON)
 	// This calls flag.Parse()
-	sharedmain.MainWithContext(ctx, "cosigned",
+	sharedmain.MainWithContext(ctx, "policy-controller",
 		certificates.NewController,
 		NewValidatingAdmissionController,
 		NewMutatingAdmissionController,

cmd/schema/main.go

@@ -20,7 +20,7 @@ import (
 	"knative.dev/hack/schema/commands"
 	"knative.dev/hack/schema/registry"
 
-	v1alpha1 "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1"
+	v1alpha1 "github.com/sigstore/cosign/pkg/apis/policy/v1alpha1"
 )
 
 // schema is a tool to dump the schema for Eventing resources.

config/100-namespace.yaml

@@ -17,4 +17,4 @@ kind: Namespace
 metadata:
   name: cosign-system
   labels:
-    cosigned.sigstore.dev/include: "false"
+    policy.sigstore.dev/include: "false"

config/200-clusterrole.yaml

@@ -15,7 +15,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: cosigned-rbac
+  name: policy-controller-rbac
 rules:
   - apiGroups: [""]
     resources: ["events"]
@@ -28,7 +28,7 @@ rules:
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
     verbs: ["get", "update"]
-    resourceNames: ["cosigned.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]
+    resourceNames: ["policy.sigstore.dev", "validating.clusterimagepolicy.sigstore.dev", "defaulting.clusterimagepolicy.sigstore.dev"]
 
   - apiGroups: [""]
     resources: ["namespaces"]
@@ -45,10 +45,10 @@ rules:
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["get", "update"]
-    resourceNames: ["clusterimagepolicies.cosigned.sigstore.dev"]
+    resourceNames: ["clusterimagepolicies.policy.sigstore.dev"]
 
   # Allow reconciliation of the ClusterImagePolic CRDs.
-  - apiGroups: ["cosigned.sigstore.dev"]
+  - apiGroups: ["policy.sigstore.dev"]
     resources: ["clusterimagepolicies"]
     verbs: ["get", "list", "update", "watch", "patch"]
 

config/200-role.yaml

@@ -15,7 +15,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: cosigned-namespace-rbac
+  name: policy-controller-namespace-rbac
   namespace: cosign-system
 rules:
   # Needed to watch and load configuration and secret data.

config/201-clusterrolebinding.yaml

@@ -15,12 +15,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cosigned-webhook
+  name: policy-controller-webhook
 subjects:
   - kind: ServiceAccount
     name: webhook
     namespace: cosign-system
 roleRef:
   kind: ClusterRole
-  name: cosigned-rbac
+  name: policy-controller-rbac
   apiGroup: rbac.authorization.k8s.io

config/201-rolebinding.yaml

@@ -15,13 +15,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: cosigned-webhook
+  name: policy-controller-webhook
   namespace: cosign-system
 subjects:
   - kind: ServiceAccount
     name: webhook
     namespace: cosign-system
 roleRef:
   kind: Role
-  name: cosigned-namespace-rbac
+  name: policy-controller-namespace-rbac
   apiGroup: rbac.authorization.k8s.io

config/300-clusterimagepolicy.yaml

@@ -14,9 +14,9 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
-  name: clusterimagepolicies.cosigned.sigstore.dev
+  name: clusterimagepolicies.policy.sigstore.dev
 spec:
-  group: cosigned.sigstore.dev
+  group: policy.sigstore.dev
   names:
     kind: ClusterImagePolicy
     plural: clusterimagepolicies