diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index 75495ed44..37711e4ea 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -87,7 +87,7 @@ jobs: strategy: matrix: KUBERNETES_VERSION: ["1.26.10", "1.27.7"] - GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"] + GATEKEEPER_VERSION: ["3.12.0", "3.13.0", "3.14.0"] steps: - name: Check out code into the Go module directory uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -147,7 +147,7 @@ jobs: strategy: matrix: KUBERNETES_VERSION: ["1.26.10", "1.27.7"] - GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"] + GATEKEEPER_VERSION: ["3.12.0", "3.13.0", "3.14.0"] steps: - name: Check out code into the Go module directory uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 858f3c90b..4afdb6776 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -184,7 +184,7 @@ image: ``` Deploy using one of the following deployments. -Note: Ratify is compatible with Gatkeeper >= 3.11.0. Server auth is required to be enabled. +Note: Ratify is compatible with Gatekeeper >= 3.12.0. Server auth is required to be enabled. **Option 1** Client auth disabled and server auth enabled using self signed certificate diff --git a/Makefile b/Makefile index 039cbd987..c03c45141 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG) KIND_VERSION ?= 0.14.0 KUBERNETES_VERSION ?= 1.27.7 KIND_KUBERNETES_VERSION ?= 1.27.3 -GATEKEEPER_VERSION ?= 3.13.0 +GATEKEEPER_VERSION ?= 3.14.0 DAPR_VERSION ?= 1.11.1 COSIGN_VERSION ?= 1.13.1 NOTATION_VERSION ?= 1.0.0-rc.7 @@ -431,16 +431,10 @@ e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert- e2e-deploy-gatekeeper: e2e-helm-install ./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts - ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper \ - --version ${GATEKEEPER_VERSION} \ - --name-template=gatekeeper \ - --namespace ${GATEKEEPER_NAMESPACE} --create-namespace \ - --set enableExternalData=true \ - --set validatingWebhookTimeoutSeconds=5 \ - --set mutatingWebhookTimeoutSeconds=2 \ - --set auditInterval=0 - + if [ ${GATEKEEPER_VERSION} = "3.12.0" ] || [ ${GATEKEEPER_VERSION} = "3.13.0" ]; then ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper --version ${GATEKEEPER_VERSION} --name-template=gatekeeper --namespace ${GATEKEEPER_NAMESPACE} --create-namespace --set enableExternalData=true --set validatingWebhookTimeoutSeconds=5 --set mutatingWebhookTimeoutSeconds=2 --set auditInterval=0; fi if [ ${GATEKEEPER_VERSION} = "3.13.0" ]; then kubectl -n ${GATEKEEPER_NAMESPACE} patch deployment gatekeeper-controller-manager --type=json -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--external-data-provider-response-cache-ttl=1s"}]' && sleep 60; fi + # Gatekeeper versions >= 3.14.0 need a special helm value to override the default external data response cache ttl to 10s + if [ ${GATEKEEPER_VERSION} != "3.12.0" ] && [ ${GATEKEEPER_VERSION} != "3.13.0" ]; then ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper --version ${GATEKEEPER_VERSION} --name-template=gatekeeper --namespace ${GATEKEEPER_NAMESPACE} --create-namespace --set enableExternalData=true --set validatingWebhookTimeoutSeconds=5 --set mutatingWebhookTimeoutSeconds=2 --set auditInterval=0 --set externaldataProviderResponseCacheTTL=1s; fi e2e-build-crd-image: docker build --progress=plain --no-cache --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t localbuildcrd:test ./charts/ratify/crds diff --git a/charts/ratify/README.md b/charts/ratify/README.md index df3d70cc9..30dcca253 100644 --- a/charts/ratify/README.md +++ b/charts/ratify/README.md @@ -53,7 +53,7 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify | resources.requests.memory | Memory request of Ratify Deployment | `512Mi` | | serviceAccount.create | Create new dedicated Ratify service account | `true` | | serviceAccount.name | Name of Ratify service account to create | `ratify-admin` | -| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.13.0` | +| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.14.0` | | gatekeeper.namespace | Namespace Gatekeeper is installed | `gatekeeper-system` | | instrumentation.metricsEnabled | Initializes the configured metrics provider | `true` | | instrumentation.metricsType | Specifies the metrics provider type | `prometheus` | diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 97c4c6184..2c1325b7f 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -26,7 +26,7 @@ serviceAccount: create: true name: ratify-admin gatekeeper: - version: "3.13.0" + version: "3.14.0" namespace: # default is gatekeeper-system instrumentation: metricsEnabled: true diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index aa83d3cae..78b5b9cae 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -9,7 +9,7 @@ releases: namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.13.0 + version: 3.14.0 wait: true set: - name: enableExternalData @@ -18,6 +18,8 @@ releases: value: 5 - name: mutatingWebhookTimeoutSeconds value: 2 + - name: externaldataProviderResponseCacheTTL + value: 10s - name: ratify namespace: gatekeeper-system chart: charts/ratify # PRERELEASE: Change to 'ratify/ratify' before copying to helmfile.yaml diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh index 640f0d614..3e662b830 100755 --- a/scripts/azure-ci-test.sh +++ b/scripts/azure-ci-test.sh @@ -28,7 +28,7 @@ export KEYVAULT_NAME="${KEYVAULT_NAME:-ratify-akv-${SUFFIX}}" export USER_ASSIGNED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME:-ratify-e2e-identity-${SUFFIX}}" export LOCATION="eastus" export KUBERNETES_VERSION=${1:-1.27.7} -GATEKEEPER_VERSION=${2:-3.11.0} +GATEKEEPER_VERSION=${2:-3.14.0} TENANT_ID=$3 export RATIFY_NAMESPACE=${4:-gatekeeper-system} CERT_DIR=${5:-"~/ratify/certs"}