openshift · sanchezl · Dec 15, 2025 · Dec 15, 2025
diff --git a/config/v1/types_cluster_image_policy.go b/config/v1/types_cluster_image_policy.go
@@ -52,7 +52,7 @@ type ClusterImagePolicySpec struct {
 	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +k8s:deepcopy-gen=true

diff --git a/config/v1/types_image_policy.go b/config/v1/types_image_policy.go
@@ -51,7 +51,7 @@ type ImagePolicySpec struct {
 	// policy is a required field that contains configuration to allow scopes to be verified, and defines how
 	// images not matching the verification policy will be treated.
 	// +required
-	Policy Policy `json:"policy"`
+	Policy ImageSigstoreVerificationPolicy `json:"policy"`
 }
 
 // +kubebuilder:validation:XValidation:rule="size(self.split('/')[0].split('.')) == 1 ? self.split('/')[0].split('.')[0].split(':')[0] == 'localhost' : true",message="invalid image scope format, scope must contain a fully qualified domain name or 'localhost'"
@@ -60,8 +60,8 @@ type ImagePolicySpec struct {
 // +kubebuilder:validation:MaxLength=512
 type ImageScope string
 
-// Policy defines the verification policy for the items in the scopes list.
-type Policy struct {
+// ImageSigstoreVerificationPolicy defines the verification policy for the items in the scopes list.
+type ImageSigstoreVerificationPolicy struct {
 	// rootOfTrust is a required field that defines the root of trust for verifying image signatures during retrieval.
 	// This allows image consumers to specify policyType and corresponding configuration of the policy, matching how the policy was generated.
 	// +required
@@ -89,18 +89,18 @@ type PolicyRootOfTrust struct {
 	// publicKey defines the root of trust configuration based on a sigstore public key. Optionally include a Rekor public key for Rekor verification.
 	// publicKey is required when policyType is PublicKey, and forbidden otherwise.
 	// +optional
-	PublicKey *PublicKey `json:"publicKey,omitempty"`
+	PublicKey *ImagePolicyPublicKeyRootOfTrust `json:"publicKey,omitempty"`
 	// fulcioCAWithRekor defines the root of trust configuration based on the Fulcio certificate and the Rekor public key.
 	// fulcioCAWithRekor is required when policyType is FulcioCAWithRekor, and forbidden otherwise
 	// For more information about Fulcio and Rekor, please refer to the document at:
 	// https://github.com/sigstore/fulcio and https://github.com/sigstore/rekor
 	// +optional
-	FulcioCAWithRekor *FulcioCAWithRekor `json:"fulcioCAWithRekor,omitempty"`
+	FulcioCAWithRekor *ImagePolicyFulcioCAWithRekorRootOfTrust `json:"fulcioCAWithRekor,omitempty"`
 	// pki defines the root of trust configuration based on Bring Your Own Public Key Infrastructure (BYOPKI) Root CA(s) and corresponding intermediate certificates.
 	// pki is required when policyType is PKI, and forbidden otherwise.
 	// +optional
 	// +openshift:enable:FeatureGate=SigstoreImageVerificationPKI
-	PKI *PKI `json:"pki,omitempty"`
+	PKI *ImagePolicyPKIRootOfTrust `json:"pki,omitempty"`
 }
 
 // +openshift:validation:FeatureGateAwareEnum:featureGate="",enum=PublicKey;FulcioCAWithRekor
@@ -113,8 +113,8 @@ const (
 	PKIRootOfTrust               PolicyType = "PKI"
 )
 
-// PublicKey defines the root of trust based on a sigstore public key.
-type PublicKey struct {
+// ImagePolicyPublicKeyRootOfTrust defines the root of trust based on a sigstore public key.
+type ImagePolicyPublicKeyRootOfTrust struct {
 	// keyData is a required field contains inline base64-encoded data for the PEM format public key.
 	// keyData must be at most 8192 characters.
 	// +required
@@ -132,8 +132,8 @@ type PublicKey struct {
 	RekorKeyData []byte `json:"rekorKeyData,omitempty"`
 }
 
-// FulcioCAWithRekor defines the root of trust based on the Fulcio certificate and the Rekor public key.
-type FulcioCAWithRekor struct {
+// ImagePolicyFulcioCAWithRekorRootOfTrust defines the root of trust based on the Fulcio certificate and the Rekor public key.
+type ImagePolicyFulcioCAWithRekorRootOfTrust struct {
 	// fulcioCAData is a required field contains inline base64-encoded data for the PEM format fulcio CA.
 	// fulcioCAData must be at most 8192 characters.
 	// +required
@@ -172,8 +172,8 @@ type PolicyFulcioSubject struct {
 	SignedEmail string `json:"signedEmail"`
 }
 
-// PKI defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
-type PKI struct {
+// ImagePolicyPKIRootOfTrust defines the root of trust based on Root CA(s) and corresponding intermediate certificates.
+type ImagePolicyPKIRootOfTrust struct {
 	// caRootsData contains base64-encoded data of a certificate bundle PEM file, which contains one or more CA roots in the PEM format. The total length of the data must not exceed 8192 characters.
 	// +required
 	// +kubebuilder:validation:MaxLength=8192

diff --git a/config/v1/zz_generated.deepcopy.go b/config/v1/zz_generated.deepcopy.go