fix: allow multiple notationCert in default chart (ratify-project#1151)

Makefile

@@ -452,7 +452,7 @@ e2e-deploy-base-ratify: e2e-notation-setup e2e-notation-leaf-cert-setup e2e-inli
 	--set-file provider.tls.caCert=${CERT_DIR}/ca.crt \
     --set-file provider.tls.caKey=${CERT_DIR}/ca.key \
 	--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
-	--set notationCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
+	--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set oras.useHttp=true \
 	--set cosign.enabled=false \
 	--set-file dockerConfig="mount_config.json" \
@@ -490,7 +490,7 @@ e2e-helm-deploy-ratify:
 	--set-file provider.tls.caCert=${CERT_DIR}/ca.crt \
     --set-file provider.tls.caKey=${CERT_DIR}/ca.key \
 	--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
-	--set notationCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
+	--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
 	--set oras.useHttp=true \
 	--set-file dockerConfig="mount_config.json" \
@@ -548,7 +548,7 @@ e2e-helm-deploy-ratify-replica: e2e-helm-deploy-redis e2e-notation-setup e2e-bui
 	--set-file provider.tls.caCert=${CERT_DIR}/ca.crt \
     --set-file provider.tls.caKey=${CERT_DIR}/ca.key \
 	--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
-	--set notationCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
+	--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set oras.useHttp=true \
 	--set cosign.enabled=false \
 	--set-file dockerConfig="mount_config.json" \

charts/ratify/README.md

@@ -43,7 +43,8 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
 | replicaCount                                       | The number of Ratify replicas in deployment                                                                                                                                                                                         | 1                              |
 | affinity                                           | Pod affinity for the Ratify deployment                                                                                                                                                                                              | `{}`                           |
 | tolerations                                        | Pod tolerations for the Ratify deployment                                                                                                                                                                                           | `[]`                           |
-| notationCert                                       | Public certificate/certificate chain used to create inline certstore used by Notation verifier.                                                                                                                                     | ``                             |
+| notationCert                                       | Public certificate/certificate chain used to create inline certstore used by Notation verifier. This value has been ***deprecated*** , and will be removed in future releases of Ratify. Please switch to ```notationCerts``` to specify an array of verification certificates                                                                                                                                  | ``                             |
+| notationCerts                                      | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier                                                                  | ``                             |
 | cosign.enabled                                     | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification.                                                                                                                      | `true`                         |
 | cosign.key                                         | Public certificate used by cosign verifier                                                                                                                                                                                          | ``                             |
 | resources.limits.cpu                               | CPU limits of Ratify Deployment                                                                                                                                                                                                     | `1000m`                        |

charts/ratify/templates/inline-certificate-provider.yaml

@@ -1,8 +1,10 @@
+{{- $fullname := include "ratify.fullname" . -}}
+---
 {{- if .Values.notationCert }} 
 apiVersion: config.ratify.deislabs.io/v1beta1
 kind: CertificateStore
 metadata:
-  name: {{ include "ratify.fullname" . }}-notation-inline-cert
+  name: {{$fullname}}-notation-inline-cert
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "5"
@@ -11,3 +13,17 @@ spec:
   parameters:
     value: {{ .Values.notationCert | quote }}
 {{- end }}
+---
+{{-  range $i, $cert := .Values.notationCerts }}
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: CertificateStore
+metadata:
+  name: {{$fullname}}-notation-inline-cert-{{$i}}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "5"
+spec:
+  provider: inline
+  parameters:
+    value: {{ $cert | quote }}
+{{- end }}

charts/ratify/templates/verifier.yaml

@@ -1,3 +1,5 @@
+{{- $fullname := include "ratify.fullname" . -}}
+---
 apiVersion: config.ratify.deislabs.io/v1beta1
 kind: Verifier
 metadata:
@@ -9,13 +11,20 @@ spec:
   name: notation
   artifactTypes: application/vnd.cncf.notary.signature
   parameters:
-
     verificationCertStores:
       certs:
         {{- if .Values.akvCertConfig.enabled }}
         - certstore-akv
         {{- else }}
-        - {{ include "ratify.fullname" . }}-notation-inline-cert
+          {{- if .Values.notationCert }}
+            {{- if .Values.notationCerts }}
+            {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
+            {{- end -}}
+        - {{$fullname}}-notation-inline-cert
+          {{- end }} 
+          {{-  range $i, $cert := .Values.notationCerts }}
+        - {{$fullname}}-notation-inline-cert-{{$i}}
+          {{- end }} 
         {{- end }}
     trustPolicyDoc:
       version: "1.0"

charts/ratify/values.yaml

@@ -10,6 +10,8 @@ replicaCount: 1
 affinity: {}
 tolerations: []
 notationCert: ""
+notationCerts: []
+
 cosign:
   enabled: true
   key: ""

config/samples/config_v1alpha1_verifier_notation.yaml

@@ -8,7 +8,7 @@ spec:
   parameters:
      verificationCertStores:
        certs:
-         - ratify-notation-inline-cert
+         - ratify-notation-inline-cert-0
      trustPolicyDoc:
       version: "1.0"
       trustPolicies:

config/samples/config_v1beta1_verifier_notation.yaml

@@ -8,7 +8,7 @@ spec:
   parameters:
      verificationCertStores:
        certs:
-         - ratify-notation-inline-cert
+         - ratify-notation-inline-cert-0
      trustPolicyDoc:
       version: "1.0"
       trustPolicies:

config/samples/config_v1beta1_verifier_notation_specificnscertstore.yaml

@@ -8,7 +8,7 @@ spec:
   parameters:
      verificationCertStores:
        certs:
-         - default/ratify-notation-inline-cert
+         - default/ratify-notation-inline-cert-0
      trustPolicyDoc:
       version: "1.0"
       trustPolicies:

test/bats/base-test.bats

@@ -22,11 +22,10 @@ RATIFY_NAMESPACE=gatekeeper-system
     assert_success
     sleep 5
     # validate certificate store status property shows success
-    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -n ${RATIFY_NAMESPACE} -o yaml | grep 'issuccess: true'"
+    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n ${RATIFY_NAMESPACE} -o yaml | grep 'issuccess: true'"
     assert_success
     run kubectl run demo --namespace default --image=registry:5000/notation:signed
     assert_success
-
     run kubectl run demo1 --namespace default --image=registry:5000/notation:unsigned
     assert_failure
 
@@ -75,7 +74,7 @@ RATIFY_NAMESPACE=gatekeeper-system
     sleep 5
 
     # validate certificate store status property shows success
-    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -n ${RATIFY_NAMESPACE} -o yaml | grep 'issuccess: true'"
+    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n ${RATIFY_NAMESPACE} -o yaml | grep 'issuccess: true'"
     assert_success
     run kubectl run demo --namespace default --image=registry:5000/notation:signed
     assert_success
@@ -91,8 +90,8 @@ RATIFY_NAMESPACE=gatekeeper-system
         wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'kubectl delete pod demo1 --namespace default --force --ignore-not-found=true'
 
         # restore cert store in ratify namespace
-        run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -o yaml -n default > certStore.yaml"
-        run kubectl delete certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -n default
+        run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -o yaml -n default > certStore.yaml"
+        run kubectl delete certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n default
         sed 's/default/gatekeeper-system/' certStore.yaml > certStoreNewNS.yaml
         run kubectl apply -f certStoreNewNS.yaml        
         assert_success
@@ -104,16 +103,17 @@ RATIFY_NAMESPACE=gatekeeper-system
     assert_success
     sleep 5
     run kubectl apply -f ./library/default/samples/constraint.yaml
+
     assert_success
     sleep 5
 
     # apply the certstore to default namespace
-    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -o yaml -n ${RATIFY_NAMESPACE} > certStore.yaml"    
+    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -o yaml -n ${RATIFY_NAMESPACE} > certStore.yaml"    
     assert_success
     sed 's/gatekeeper-system/default/' certStore.yaml > certStoreNewNS.yaml    
     run kubectl apply -f certStoreNewNS.yaml
     assert_success
-    run kubectl delete certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -n ${RATIFY_NAMESPACE}
+    run kubectl delete certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n ${RATIFY_NAMESPACE}
     assert_success
 
     # configure the notation verifier to use inline certificate store with specific namespace

test/bats/high-availability.bats

@@ -19,7 +19,7 @@ SLEEP_TIME=1
     assert_success
     sleep 5
     # validate certificate store status property shows success
-    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert -n gatekeeper-system -o yaml | grep 'issuccess: true'"
+    run bash -c "kubectl get certificatestores.config.ratify.deislabs.io/ratify-notation-inline-cert-0 -n gatekeeper-system -o yaml | grep 'issuccess: true'"
     assert_success
     run kubectl run demo --namespace default --image=registry:5000/notation:signed
     assert_success