From 3c2fa5827eff9da815ef75d1a8f84db540f199f7 Mon Sep 17 00:00:00 2001 From: Juncheng Zhu <74894646+junczhu@users.noreply.github.com> Date: Mon, 4 Sep 2023 12:17:45 +0800 Subject: [PATCH 01/11] feat: upgrade oras-go v2.3.0 (#1050) Co-authored-by: Binbin Li --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 9630f9599..f48b27dfc 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( k8s.io/api v0.27.5 k8s.io/apimachinery v0.27.5 k8s.io/client-go v0.27.5 - oras.land/oras-go/v2 v2.2.1 + oras.land/oras-go/v2 v2.3.0 ) require ( diff --git a/go.sum b/go.sum index 96ea100f6..8eb19baf2 100644 --- a/go.sum +++ b/go.sum @@ -1412,6 +1412,8 @@ k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrC k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go/v2 v2.2.1 h1:3VJTYqy5KfelEF9c2jo1MLSpr+TM3mX8K42wzZcd6qE= oras.land/oras-go/v2 v2.2.1/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= +oras.land/oras-go/v2 v2.3.0 h1:lqX1aXdN+DAmDTKjiDyvq85cIaI4RkIKp/PghWlAGIU= +oras.land/oras-go/v2 v2.3.0/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= From 77113e187cba60be3a715116d7cc9e35f1b069e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 10:41:43 +0800 Subject: [PATCH 02/11] chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.35 to 1.18.38 (#1053) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 27 ++++++++------------------- 2 files changed, 12 insertions(+), 23 deletions(-) diff --git a/go.mod b/go.mod index f48b27dfc..d3007090b 100644 --- a/go.mod +++ b/go.mod @@ -14,8 +14,8 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 github.com/aws/aws-sdk-go-v2 v1.21.0 - github.com/aws/aws-sdk-go-v2/config v1.18.35 - github.com/aws/aws-sdk-go-v2/credentials v1.13.35 + github.com/aws/aws-sdk-go-v2/config v1.18.38 + github.com/aws/aws-sdk-go-v2/credentials v1.13.36 github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 github.com/cespare/xxhash/v2 v2.2.0 github.com/dapr/go-sdk v1.8.0 @@ -132,9 +132,9 @@ require ( github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.3.41 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 // indirect github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 // indirect github.com/aws/smithy-go v1.14.2 // indirect diff --git a/go.sum b/go.sum index 8eb19baf2..c2e2eaee0 100644 --- a/go.sum +++ b/go.sum @@ -164,31 +164,26 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W github.com/aws/aws-sdk-go v1.44.288 h1:Ln7fIao/nl0ACtelgR1I4AiEw/GLNkKcXfCaHupUW5Q= github.com/aws/aws-sdk-go-v2 v1.7.1/go.mod h1:L5LuPC1ZgDr2xQS7AmIec/Jlc7O/Y1u2KxJyNVab250= github.com/aws/aws-sdk-go-v2 v1.14.0/go.mod h1:ZA3Y8V0LrlWj63MQAnRHgKf/5QB//LSZCPNWlWrNGLU= -github.com/aws/aws-sdk-go-v2 v1.20.3/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= github.com/aws/aws-sdk-go-v2 v1.21.0 h1:gMT0IW+03wtYJhRqTVYn0wLzwdnK9sRMcxmtfGzRdJc= github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M= github.com/aws/aws-sdk-go-v2/config v1.5.0/go.mod h1:RWlPOAW3E3tbtNAqTwvSW54Of/yP3oiZXMI0xfUdjyA= -github.com/aws/aws-sdk-go-v2/config v1.18.35 h1:uU9rgCzrW/pVRUUlRULiwKQe8RoEDst1NQu4Qo8kOtk= -github.com/aws/aws-sdk-go-v2/config v1.18.35/go.mod h1:7xF1yr9GBMfYRQI4PLHO8iceqKLM6DpGVEvXI38HB/A= +github.com/aws/aws-sdk-go-v2/config v1.18.38 h1:CByQCELMgm2tM1lAehx3XNg0R/pfeXsYzqn0Aq2chJQ= +github.com/aws/aws-sdk-go-v2/config v1.18.38/go.mod h1:vNm9Hf5VgG2fSUWhT3zFrqN/RosGcabFMYgiSoxKFU8= github.com/aws/aws-sdk-go-v2/credentials v1.3.1/go.mod h1:r0n73xwsIVagq8RsxmZbGSRQFj9As3je72C2WzUIToc= -github.com/aws/aws-sdk-go-v2/credentials v1.13.34/go.mod h1:+wgdxCGNulHme6kTMZuDL9KOagLPloemoYkfjpQkSEU= -github.com/aws/aws-sdk-go-v2/credentials v1.13.35 h1:QpsNitYJu0GgvMBLUIYu9H4yryA5kMksjeIVQfgXrt8= -github.com/aws/aws-sdk-go-v2/credentials v1.13.35/go.mod h1:o7rCaLtvK0hUggAGclf76mNGGkaG5a9KWlp+d9IpcV8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.36 h1:ps0cPswZjpsOk6sLwG6fdXTzrYjCplgPEyG3OUbbdqE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.36/go.mod h1:sY2phUzxbygoyDtTXhqi7GjGjCQ1S5a5Rj8u3ksBxCg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.3.0/go.mod h1:2LAuqPx1I6jNfaGDucWfA2zqQCYCOMCDHiCOciALyNw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.10/go.mod h1:wMsSLVM2hRpDVhd+3dtLUzqwm7/fjuhNN+b1aOLDt6g= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11 h1:uDZJF1hu0EVT/4bogChk8DyjSF6fof6uL/0Y26Ma7Fg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.11/go.mod h1:TEPP4tENqBGO99KwVpV9MlOX4NSrSLP8u3KRy2CDwA8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.5/go.mod h1:2hXc8ooJqF2nAznsbJQIn+7h851/bu8GVC80OVTTqf8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.40/go.mod h1:5kKmFhLeOVy6pwPDpDNA6/hK/d6URC98pqDDqHgdBx4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41 h1:22dGT7PneFMx4+b3pz7lMTRyN8ZKH7M2cW4GP9yUS2g= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.41/go.mod h1:CrObHAuPneJBlfEJ5T3szXOUkLEThaGfvnhTf33buas= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.3.0/go.mod h1:miRSv9l093jX/t/j+mBCaLqFHo9xKYzJ7DGm1BsGoJM= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.34/go.mod h1:RZP0scceAyhMIQ9JvFp7HvkpcgqjL4l/4C+7RAeGbuM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35 h1:SijA0mgjV8E+8G45ltVHs0fvKpTj8xmZJ3VwhGKtUSI= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.35/go.mod h1:SJC1nEVVva1g3pHAIdCp7QsRIkMmLAgoDquQ9Rr8kYw= github.com/aws/aws-sdk-go-v2/internal/ini v1.1.1/go.mod h1:Zy8smImhTdOETZqfyn01iNOe0CNggVbPjCajyaz6Gvg= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.41 h1:EcSFdpLdkF3FWizimox0qYLuorn9e4PNMR27mvshGLs= -github.com/aws/aws-sdk-go-v2/internal/ini v1.3.41/go.mod h1:mKxUXW+TuwpCKKHVlmHGVVuBi9y9LKW8AiQodg23M5E= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42 h1:GPUcE/Yq7Ur8YSUk6lVkoIMWnJNO0HT18GUzCWCgCI0= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.42/go.mod h1:rzfdUlfA+jdgLDmPKjd3Chq9V7LVLYo1Nz++Wb91aRo= github.com/aws/aws-sdk-go-v2/service/ecr v1.4.1/go.mod h1:FglZcyeiBqcbvyinl+n14aT/EWC7S1MIH+Gan2iizt0= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0 h1:lY2Z2sBP+zSbJ6CvvmnFgPcgknoQ0OJV88AwVetRRFk= github.com/aws/aws-sdk-go-v2/service/ecr v1.15.0/go.mod h1:4zYI85WiYDhFaU1jPFVfkD7HlBcdnITDE3QxDwy4Kus= @@ -196,19 +191,15 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.4.1/go.mod h1:eD5Eo4drVP2FLTw0 github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0 h1:LsqBpyRofMG6eDs6YGud6FhdGyIyXelAasPOZ6wWLro= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.12.0/go.mod h1:IArQ3IBR00FkuraKwudKZZU32OxJfdTdwV+W5iZh3Y4= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.2.1/go.mod h1:zceowr5Z1Nh2WVP8bf/3ikB41IZW59E4yIYbg+pC6mw= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.34/go.mod h1:ytsF+t+FApY2lFnN51fJKPhH6ICKOPXKEcwwgmJEdWI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35 h1:CdzPW9kKitgIiLV1+MHobfR5Xg25iYnyzWZhyQuSlDI= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.35/go.mod h1:QGF2Rs33W5MaN9gYdEQOBBFPLwTZkEhRwI33f7KIG0o= github.com/aws/aws-sdk-go-v2/service/kms v1.22.2 h1:jwmtdM1/l1DRNy5jQrrYpsQm8zwetkgeqhAqefDr1yI= github.com/aws/aws-sdk-go-v2/service/sso v1.3.1/go.mod h1:J3A3RGUvuCZjvSuZEcOpHDnzZP/sKbhDWV2T1EOzFIM= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.4/go.mod h1:FP05hDXTLouXwAMQ1swqybHy7tHySblMkBMKSumaKg0= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.5 h1:oCvTFSDi67AX0pOX3PuPdGFewvLRU2zzFSrTsgURNo0= -github.com/aws/aws-sdk-go-v2/service/sso v1.13.5/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.4/go.mod h1:4pdlNASc29u0j9bq2jIQcBghG5Lx2oQAIj91vo1u1t8= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.6 h1:2PylFCfKCEDv6PeSN09pC/VUiRd10wi1VfHG5FrW0/g= +github.com/aws/aws-sdk-go-v2/service/sso v1.13.6/go.mod h1:fIAwKQKBFu90pBxx07BFOMJLpRUGu8VOzLJakeY+0K4= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5 h1:dnInJb4S0oy8aQuri1mV6ipLlnZPfnsDNB9BGO9PDNY= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.15.5/go.mod h1:yygr8ACQRY2PrEcy3xsUI357stq2AxnFM6DIsR9lij4= github.com/aws/aws-sdk-go-v2/service/sts v1.6.0/go.mod h1:q7o0j7d7HrJk/vr9uUt3BVRASvcU7gYZB9PUgPiByXg= -github.com/aws/aws-sdk-go-v2/service/sts v1.21.4/go.mod h1:CQRMCzYvl5eeAQW3AWkRLS+zGGXCucBnsiQlrs+tCeo= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5 h1:CQBFElb0LS8RojMJlxRSo/HXipvTZW2S44Lt9Mk2aYQ= github.com/aws/aws-sdk-go-v2/service/sts v1.21.5/go.mod h1:VC7JDqsqiwXukYEDjoHh9U0fOJtNWh04FPQz4ct4GGU= github.com/aws/smithy-go v1.6.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= @@ -1410,8 +1401,6 @@ k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5F k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -oras.land/oras-go/v2 v2.2.1 h1:3VJTYqy5KfelEF9c2jo1MLSpr+TM3mX8K42wzZcd6qE= -oras.land/oras-go/v2 v2.2.1/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= oras.land/oras-go/v2 v2.3.0 h1:lqX1aXdN+DAmDTKjiDyvq85cIaI4RkIKp/PghWlAGIU= oras.land/oras-go/v2 v2.3.0/go.mod h1:GeAwLuC4G/JpNwkd+bSZ6SkDMGaaYglt6YK2WvZP7uQ= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= From b7c069081a7f62120a49a6c0130eb2c8823327f0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 12:28:08 +0800 Subject: [PATCH 03/11] chore: Bump github.com/sigstore/sigstore from 1.7.2 to 1.7.3 (#1051) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 10 +++++----- go.sum | 22 +++++++++++----------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index d3007090b..282405abf 100644 --- a/go.mod +++ b/go.mod @@ -20,11 +20,11 @@ require ( github.com/cespare/xxhash/v2 v2.2.0 github.com/dapr/go-sdk v1.8.0 github.com/dgraph-io/ristretto v0.1.1 - github.com/docker/cli v23.0.6+incompatible + github.com/docker/cli v24.0.0+incompatible github.com/docker/distribution v2.8.2+incompatible github.com/fsnotify/fsnotify v1.6.0 github.com/golang/protobuf v1.5.3 - github.com/google/go-containerregistry v0.15.2 + github.com/google/go-containerregistry v0.16.1 github.com/gorilla/mux v1.8.0 github.com/notaryproject/notation-core-go v1.0.0 github.com/notaryproject/notation-go v1.0.0 @@ -35,7 +35,7 @@ require ( github.com/opencontainers/image-spec v1.1.0-rc4 github.com/pkg/errors v0.9.1 github.com/sigstore/cosign/v2 v2.1.1 - github.com/sigstore/sigstore v1.7.2 + github.com/sigstore/sigstore v1.7.3 github.com/sirupsen/logrus v1.9.3 github.com/spdx/tools-golang v0.5.3 github.com/spf13/cobra v1.7.0 @@ -144,7 +144,7 @@ require ( github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect github.com/cyberphone/json-canonicalization v0.0.0-20220623050100-57a0ce2678a7 // indirect github.com/davecgh/go-spew v1.1.1 // indirect - github.com/docker/docker v23.0.5+incompatible // indirect + github.com/docker/docker v24.0.0+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/fxamacker/cbor/v2 v2.4.0 // indirect @@ -237,7 +237,7 @@ require ( golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect golang.org/x/mod v0.12.0 // indirect golang.org/x/net v0.14.0 // indirect - golang.org/x/oauth2 v0.10.0 // indirect + golang.org/x/oauth2 v0.11.0 // indirect golang.org/x/sys v0.11.0 // indirect golang.org/x/term v0.11.0 // indirect golang.org/x/text v0.12.0 // indirect diff --git a/go.sum b/go.sum index c2e2eaee0..dc4f56a80 100644 --- a/go.sum +++ b/go.sum @@ -283,12 +283,12 @@ github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U= github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= -github.com/docker/cli v23.0.6+incompatible h1:CScadyCJ2ZKUDpAMZta6vK8I+6/m60VIjGIV7Wg/Eu4= -github.com/docker/cli v23.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= +github.com/docker/cli v24.0.0+incompatible h1:0+1VshNwBQzQAx9lOl+OYCTCEAD8fKs/qeXMx3O0wqM= +github.com/docker/cli v24.0.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k= -github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.0+incompatible h1:z4bf8HvONXX9Tde5lGBMQ7yCJgNahmJumdrStZAbeY4= +github.com/docker/docker v24.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= @@ -391,7 +391,7 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= github.com/go-playground/validator/v10 v10.14.0 h1:vgvQWe3XCz3gIeFDm/HnTIbj6UGmg/+t63MyGU2n5js= github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU= -github.com/go-rod/rod v0.114.2 h1:Qwt+vZHHnb117zc0q+XjhAJCkB01hchWSxH/raCyLb4= +github.com/go-rod/rod v0.114.3 h1:gAUT2Bc2wy0tQL5KEet05HNDvmndaHAGCjQ01TB2efA= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= @@ -490,8 +490,8 @@ github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= -github.com/google/go-containerregistry v0.15.2 h1:MMkSh+tjSdnmJZO7ljvEqV1DjfekB6VUEAZgy3a+TQE= -github.com/google/go-containerregistry v0.15.2/go.mod h1:wWK+LnOv4jXMM23IT/F1wdYftGWGr47Is8CG+pmHK1Q= +github.com/google/go-containerregistry v0.16.1 h1:rUEt426sR6nyrL3gt+18ibRcvYpKYdpsa5ZW7MA08dQ= +github.com/google/go-containerregistry v0.16.1/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ= github.com/google/go-github/v50 v50.2.0 h1:j2FyongEHlO9nxXLc+LP3wuBSVU9mVxfpdYUexMpIfk= github.com/google/go-github/v50 v50.2.0/go.mod h1:VBY8FB6yPIjrtKhozXv4FQupxKLS6H4m6xFZlT43q8Q= github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8= @@ -773,8 +773,8 @@ github.com/sigstore/fulcio v1.3.1 h1:0ntW9VbQbt2JytoSs8BOGB84A65eeyvGSavWteYp29Y github.com/sigstore/fulcio v1.3.1/go.mod h1:/XfqazOec45ulJZpyL9sq+OsVQ8g2UOVoNVi7abFgqU= github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 h1:eZY7mQFcc0VvNr0fiAK3/n7kh73+T06KzBEIUYzFSDQ= github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23/go.mod h1:h1tOLhldpfILtziWpUDgGBu0vulWk9Kh72t6XzBGJok= -github.com/sigstore/sigstore v1.7.2 h1:MY0wSOhKWa8SIWSCO9SzFnUl+b7jbthgXHJpuUg31Qs= -github.com/sigstore/sigstore v1.7.2/go.mod h1:2IPD5YXrXoznfnIoVsDF7ARC1Nha8xIdLpsC4kEQh5w= +github.com/sigstore/sigstore v1.7.3 h1:HVVTfrMezJeLyl2xhJ8edzkrEGBa4KxjQZB4FlQ4JLU= +github.com/sigstore/sigstore v1.7.3/go.mod h1:cl0c7Dtg3MM3c13L8pqqrfrmBa0eM3POcdtBepjylmw= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.1 h1:rDHrG/63b3nBq3G9plg7iYnWN6lBhOfq/XultlCZgII= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.1 h1:X3ezwolP+b1jP3R6XPOWhUU0TZKONiv6EIRuySlZGrY= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.7.1 h1:mj1KhdzzP1me994bt1UXhq5KZGSR1SoqxTqcT+hfPMk= @@ -1059,8 +1059,8 @@ golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.10.0 h1:zHCpF2Khkwy4mMB4bv0U37YtJdTGW8jI0glAApi0Kh8= -golang.org/x/oauth2 v0.10.0/go.mod h1:kTpgurOux7LqtuxjuyZa4Gj2gdezIt/jQtGnNFfypQI= +golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU= +golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From 0772c6c0ef108723f500ea76c15281d8d0398d1d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 06:51:27 +0000 Subject: [PATCH 04/11] chore: Bump actions/checkout from 3.6.0 to 4.0.0 (#1055) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-pr.yml | 12 ++++++------ .github/workflows/codeql.yml | 2 +- .github/workflows/golangci-lint.yml | 2 +- .github/workflows/high-availability.yml | 2 +- .github/workflows/publish-charts.yml | 2 +- .github/workflows/publish-package.yml | 2 +- .github/workflows/quick-start.yml | 2 +- .github/workflows/release.yml | 2 +- .github/workflows/scorecards.yml | 2 +- .github/workflows/sync-gh-pages.yml | 2 +- 10 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index e57843256..f252bf910 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -20,7 +20,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac - name: setup go environment uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -43,7 +43,7 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: setup go environment uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -74,7 +74,7 @@ jobs: GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"] steps: - name: Check out code into the Go module directory - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set up Go 1.20 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -134,7 +134,7 @@ jobs: GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"] steps: - name: Check out code into the Go module directory - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set up Go 1.20 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: @@ -168,7 +168,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 with: submodules: recursive - name: Run link check @@ -190,7 +190,7 @@ jobs: contents: read steps: - name: Check out code into the Go module directory - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set up Go 1.20 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 108f023b7..7c3c1acbc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # tag=3.0.2 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=3.0.2 - name: setup go environment uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 42fc82982..55fd010a2 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: '1.20' - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: golangci-lint uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml index 7a77b11f6..9931dd5f0 100644 --- a/.github/workflows/high-availability.yml +++ b/.github/workflows/high-availability.yml @@ -28,7 +28,7 @@ jobs: DAPR_VERSION: ["1.11.1"] steps: - name: Check out code into the Go module directory - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: Set up Go 1.20 uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/publish-charts.yml b/.github/workflows/publish-charts.yml index f352915e4..766a24e57 100644 --- a/.github/workflows/publish-charts.yml +++ b/.github/workflows/publish-charts.yml @@ -12,7 +12,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac - name: Publish Helm charts uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 with: diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index cc22918fd..6654ab385 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -18,7 +18,7 @@ jobs: contents: read steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac - name: prepare id: prepare run: | diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml index d5cf54ece..a09a7f8d5 100644 --- a/.github/workflows/quick-start.yml +++ b/.github/workflows/quick-start.yml @@ -25,7 +25,7 @@ jobs: KUBERNETES_VERSION: ["1.26.3"] steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - name: setup go environment uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 69d239456..33c061fa7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # tag=3.0.2 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=3.0.2 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 7031794b1..b709f0f5f 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,7 +22,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # tag=3.0.2 + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=3.0.2 with: persist-credentials: false diff --git a/.github/workflows/sync-gh-pages.yml b/.github/workflows/sync-gh-pages.yml index f0ab2fcd8..97985d295 100644 --- a/.github/workflows/sync-gh-pages.yml +++ b/.github/workflows/sync-gh-pages.yml @@ -16,7 +16,7 @@ jobs: pull-requests: write repository-projects: write steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac - uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 with: github_token: ${{ github.token }} From 26424d252f526f2261dcc8502a05d012794484ce Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Wed, 6 Sep 2023 10:18:02 +0800 Subject: [PATCH 05/11] docs: add badge linking to pkg.go.dev (#1056) --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1f89c1a44..8087ff450 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ by its developers, nor is it "supported" software. [![Go Report Card](https://goreportcard.com/badge/github.com/deislabs/ratify)](https://goreportcard.com/report/github.com/deislabs/ratify) [![build-pr](https://github.com/deislabs/ratify/actions/workflows/build-pr.yml/badge.svg)](https://github.com/deislabs/ratify/actions/workflows/build-pr.yml) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/deislabs/ratify/badge)](https://api.securityscorecards.dev/projects/github.com/deislabs/ratify) +[![Go Reference](https://pkg.go.dev/badge/github.com/deislabs/ratify.svg)](https://pkg.go.dev/github.com/deislabs/ratify) ## Table of Contents From 693741a85370a6377bc63ffe34aac025a34f8cae Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Wed, 6 Sep 2023 11:36:17 +0800 Subject: [PATCH 06/11] fix: fix cert watcher (#1054) --- httpserver/server.go | 3 +++ test/bats/plugin-test.bats | 4 ---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/httpserver/server.go b/httpserver/server.go index 54c0d4d51..6e31b959f 100644 --- a/httpserver/server.go +++ b/httpserver/server.go @@ -151,6 +151,9 @@ func (server *Server) Run(certRotatorReady chan struct{}) error { return err } defer tlsCertWatcher.Stop() + if err = tlsCertWatcher.ReadCertificates(); err != nil { + return err + } svr.TLSConfig = &tls.Config{ GetConfigForClient: tlsCertWatcher.GetConfigForClient, diff --git a/test/bats/plugin-test.bats b/test/bats/plugin-test.bats index 06b317bce..9a260a89c 100644 --- a/test/bats/plugin-test.bats +++ b/test/bats/plugin-test.bats @@ -39,10 +39,6 @@ SLEEP_TIME=1 } @test "cert rotator test" { - teardown() { - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'helm uninstall ratify --namespace gatekeeper-system' - wait_for_process ${WAIT_TIME} ${SLEEP_TIME} 'make e2e-helm-deploy-ratify CERT_DIR=${CERT_DIR} CERT_ROTATION_ENABLED=false GATEKEEPER_VERSION=${GATEKEEPER_VERSION}' - } helm uninstall ratify --namespace gatekeeper-system make e2e-helm-deploy-ratify CERT_DIR=${EXPIRING_CERT_DIR} CERT_ROTATION_ENABLED=true GATEKEEPER_VERSION=${GATEKEEPER_VERSION} sleep 10 From be6be888f7f6736d3d0c170fe620d363b3423ff2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Sep 2023 06:10:13 +0000 Subject: [PATCH 07/11] chore: Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 (#1059) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 33c061fa7..5bf30d6fa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: go-version: '1.20' - name: Goreleaser - uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0 + uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0 with: version: '1.18.0' args: release --rm-dist From 40834b6baca79b2eacef9c8d9af18aa0ca614ac5 Mon Sep 17 00:00:00 2001 From: Xinhe Li Date: Thu, 7 Sep 2023 09:37:26 +0800 Subject: [PATCH 08/11] doc: update document about install ratify on azure policy enabled aks cluster (#1041) Co-authored-by: Susan Shi --- docs/quickstarts/ratify-on-azure.md | 44 ++++++++- library/default/customazurepolicy.json | 123 +++++++++++++++++++++++++ 2 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 library/default/customazurepolicy.json diff --git a/docs/quickstarts/ratify-on-azure.md b/docs/quickstarts/ratify-on-azure.md index 173940638..29c4711f5 100644 --- a/docs/quickstarts/ratify-on-azure.md +++ b/docs/quickstarts/ratify-on-azure.md @@ -127,7 +127,9 @@ Configure user-assigned managed identity and enable `AcrPull` role to the worklo --object-id ${IDENTITY_OBJECT_ID} ``` -## Deploy Gatekeeper and Ratify on AKS +## Deploy Gatekeeper and Ratify on AKS +run `az aks show -g "${GROUP_NAME}" -n "${AKS_NAME}" --query addonProfiles.azurepolicy` to verify if the AKS cluster has azure policy addon enabled, learn more at [use azure policy](https://learn.microsoft.com/en-us/azure/aks/use-azure-policy) +### When Azure Policy Addon is not enabled 1. Deploy Gatekeeper from helm chart: @@ -152,6 +154,7 @@ Configure user-assigned managed identity and enable `AcrPull` role to the worklo helm install ratify \ ./charts/ratify --atomic \ --namespace ${RATIFY_NAMESPACE} --create-namespace \ + --set featureFlags.RATIFY_CERT_ROTATION=true \ --set akvCertConfig.enabled=true \ --set akvCertConfig.vaultURI=${VAULT_URI} \ --set akvCertConfig.cert1Name=${KEY_NAME} \ @@ -166,6 +169,45 @@ Configure user-assigned managed identity and enable `AcrPull` role to the worklo kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml ``` +### When Azure Policy Addon is enabled on AKS +1. Ensure your AKS cluster is 1.26+ +2. `az feature register -n AKS-AzurePolicyExternalData --namespace Microsoft.ContainerService` +3. Install Ratify on AKS from helm chart: + + ```bash + # Add a Helm repo + helm repo add ratify https://deislabs.github.io/ratify + helm repo update + + # Install Ratify + helm install ratify \ + ./charts/ratify --atomic \ + --namespace gatekeeper-system --create-namespace \ + --set provider.enableMutation=false \ + --set featureFlags.RATIFY_CERT_ROTATION=true \ + --set akvCertConfig.enabled=true \ + --set akvCertConfig.vaultURI=${VAULT_URI} \ + --set akvCertConfig.cert1Name=${KEY_NAME} \ + --set akvCertConfig.tenantId=${TENANT_ID} \ + --set oras.authProviders.azureWorkloadIdentityEnabled=true \ + --set azureWorkloadIdentity.clientId=${IDENTITY_CLIENT_ID} + ``` + +4. Create and assign azure policy on your cluster: + + ```bash + custom_policy=$(curl -L https://deislabs.github.io/ratify/library/default/customazurepolicy.yaml) + definition_name="ratify-default-custom-policy" + scope=$(az aks show -g "${GROUP_NAME}" -n "${AKS_NAME}" --query id -o tsv) + + definition_id=$(az policy definition create --name "${definition_name}" --rules "$(echo "${custom_policy}" | jq .policyRule)" --params "$(echo "${custom_policy}" | jq .parameters)" --mode "Microsoft.Kubernetes.Data" --query id -o tsv) + + assignment_id=$(az policy assignment create --policy "${definition_id}" --name "${definition_name}" --scope "${scope}" --query id -o tsv) + + echo "Please wait policy assignmet with id ${assignment_id} taking effect" + echo "It often requires 15 min" + echo "You can run 'kubectl get constraintTemplate ratifyverification' to verify the policy takes effect" + ``` ## Deploy two sample image to AKS cluster diff --git a/library/default/customazurepolicy.json b/library/default/customazurepolicy.json new file mode 100644 index 000000000..52b16c5c4 --- /dev/null +++ b/library/default/customazurepolicy.json @@ -0,0 +1,123 @@ +{ + "mode": "Microsoft.Kubernetes.Data", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Disable' turns off the policy.", + "portalReview": true + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Deny" + }, + "excludedNamespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces \"kube-system\", \"gatekeeper-system\" are always excluded by design." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system" + ] + }, + "namespaces": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "labelSelector": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + } + }, + "policyRule": { + "if": { + "field": "type", + "in": [ + "Microsoft.ContainerService/managedClusters" + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "templateInfo": { + "sourceType": "PublicURL", + "url": "https://deislabs.github.io/ratify/library/default/template.yaml" + }, + "apiGroups": [ + "" + ], + "kinds": [ + "Pod" + ], + "excludedNamespaces": "[parameters('excludedNamespaces')]", + "namespaces": "[parameters('namespaces')]", + "labelSelector": "[parameters('labelSelector')]" + } + } + } +} \ No newline at end of file From 3b271b8018904cf424c7f03027829d32b952d907 Mon Sep 17 00:00:00 2001 From: Susan Shi Date: Wed, 6 Sep 2023 20:47:41 -0700 Subject: [PATCH 09/11] feat: add health Probe (#1058) Signed-off-by: Susan Shi --- charts/ratify/templates/deployment.yaml | 12 ++++++++++++ charts/ratify/values.yaml | 1 + cmd/ratify/cmd/serve.go | 4 +++- httpserver/server.go | 1 + pkg/manager/manager.go | 7 ++++--- 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/charts/ratify/templates/deployment.yaml b/charts/ratify/templates/deployment.yaml index f448d41b5..0df4017c4 100644 --- a/charts/ratify/templates/deployment.yaml +++ b/charts/ratify/templates/deployment.yaml @@ -38,6 +38,14 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.healthPort }} + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.healthPort }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -70,11 +78,15 @@ spec: - --metrics-enabled={{ .Values.instrumentation.metricsEnabled }} - --metrics-type={{ .Values.instrumentation.metricsType }} - --metrics-port={{ .Values.instrumentation.metricsPort }} + - --health-port=:{{ .Values.healthPort }} ports: - containerPort: 6001 {{- if .Values.instrumentation.metricsEnabled }} - containerPort: {{ required "You must provide .Values.instrumentation.metricsPort" .Values.instrumentation.metricsPort }} {{- end }} + - containerPort: {{ required "You must provide .Values.healthPort" .Values.healthPort }} + name: healthz + protocol: TCP volumeMounts: {{- if .Values.cosign.enabled }} - mountPath: "/usr/local/ratify-certs/cosign" diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index a50a25f15..4484ce853 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -87,6 +87,7 @@ provider: podAnnotations: {} podLabels: {} enableRuntimeDefaultSeccompProfile: true +healthPort: 9099 rbac: create: true diff --git a/cmd/ratify/cmd/serve.go b/cmd/ratify/cmd/serve.go index 4f011cf32..65ebb513c 100644 --- a/cmd/ratify/cmd/serve.go +++ b/cmd/ratify/cmd/serve.go @@ -47,6 +47,7 @@ type serveCmdOptions struct { metricsEnabled bool metricsType string metricsPort int + healthPort string } func NewCmdServe(_ ...string) *cobra.Command { @@ -77,6 +78,7 @@ func NewCmdServe(_ ...string) *cobra.Command { flags.BoolVar(&opts.metricsEnabled, "metrics-enabled", false, "Enable metrics exporter if enabled (default: false)") flags.StringVar(&opts.metricsType, "metrics-type", httpserver.DefaultMetricsType, fmt.Sprintf("Metrics exporter type to use (default: %s)", httpserver.DefaultMetricsType)) flags.IntVar(&opts.metricsPort, "metrics-port", httpserver.DefaultMetricsPort, fmt.Sprintf("Metrics exporter port to use (default: %d)", httpserver.DefaultMetricsPort)) + flags.StringVar(&opts.healthPort, "health-port", httpserver.DefaultHealthPort, fmt.Sprintf("Health port to use (default: %s)", httpserver.DefaultHealthPort)) return cmd } @@ -100,7 +102,7 @@ func serve(opts serveCmdOptions) error { if opts.enableCrdManager { certRotatorReady := make(chan struct{}) logrus.Infof("starting crd manager") - go manager.StartManager(certRotatorReady) + go manager.StartManager(certRotatorReady, opts.healthPort) manager.StartServer(opts.httpServerAddress, opts.configFilePath, opts.certDirectory, opts.caCertFile, opts.cacheTTL, opts.metricsEnabled, opts.metricsType, opts.metricsPort, certRotatorReady) return nil diff --git a/httpserver/server.go b/httpserver/server.go index 6e31b959f..c52daf19d 100644 --- a/httpserver/server.go +++ b/httpserver/server.go @@ -46,6 +46,7 @@ const ( DefaultMetricsType = "prometheus" DefaultMetricsPort = 8888 + DefaultHealthPort = ":9099" ) type Server struct { diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go index 745928464..ea045df62 100644 --- a/pkg/manager/manager.go +++ b/pkg/manager/manager.go @@ -142,12 +142,11 @@ func StartServer(httpServerAddress, configFilePath, certDirectory, caCertFile st } } -func StartManager(certRotatorReady chan struct{}) { +func StartManager(certRotatorReady chan struct{}, probeAddr string) { var metricsAddr string var enableLeaderElection bool - var probeAddr string + flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.") - flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.") flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") @@ -179,6 +178,8 @@ func StartManager(certRotatorReady chan struct{}) { os.Exit(1) } + setupLog.Debugf("setting up probeAddr at %s", probeAddr) + // Make sure certs are generated and valid if cert rotation is enabled. if featureflag.CertRotation.Enabled { // Make sure TLS cert watcher is already set up. From f6e9f4a03a0e0f2ac88ccec34a5f8c765d11ded6 Mon Sep 17 00:00:00 2001 From: Susan Shi Date: Wed, 6 Sep 2023 23:58:20 -0700 Subject: [PATCH 10/11] feat: update chart for rc8 (#1064) --- RELEASES.md | 16 ++++++++-------- charts/ratify/Chart.yaml | 4 ++-- charts/ratify/values.yaml | 2 +- dev.helmfile.yaml | 2 +- dev.high-availability.helmfile.yaml | 2 +- helmfile.yaml | 2 ++ high-availability.helmfile.yaml | 2 +- 7 files changed, 16 insertions(+), 14 deletions(-) diff --git a/RELEASES.md b/RELEASES.md index b49ae8673..6b8f2bd2c 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -24,15 +24,11 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc 1. Most e2e-scenarios for cli, K8s, and Azure are covered by the Ratify e2e tests. Please refer to this [document](test/validation.md) for the current supported and unsupported tests. Please perform manual prerelease validations for the unsupported tests list [here](test/validation.md#unsupported-tests) -2. Validate that the format of the data returned for external data calls has not changed. If it has changed update the version in `httpserver/types.go` to reflect a change in the format and document the update. +2. If the format of the data returned for [external data calls](docs/reference/verification-result-version.md) has changed, validate change is also reflected in [`httpserver/types.go`](httpserver/types.go). -3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` packages. Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). +3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`). -4. Copy contents from `dev.helmfile.yaml` to `helmfile.yaml` & `dev.high-availability.helmfile.yaml` to `high-availability.helmfile.yaml`. You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version. - -## Post Release Activity - -After a successful release, please manually trigger [quick start action](.github/quick-start.yml) to validate the quick start test is passing. Validate in the run logs that the version of ratify matches the latest released version. +4. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version. ## Git Release Flow @@ -52,7 +48,7 @@ When a major release is required, the release commits should be merged with the ### Tag and Release -When the release branch is ready, a tag should be pushed with a name matching the branch name, e.g. `git tag v0.1.0-alpha1` and `git push --tags`. This will trigger a [Goreleaser](https://goreleaser.com/) action that will build the binaries and creates a [GitHub release](https://help.github.com/articles/creating-releases/): +Prepare the release with a [PR](https://github.com/deislabs/ratify/pull/1031/files) to update the chart value. When the release branch is ready, a tag should be pushed with a name matching the branch name, e.g. `git tag v0.1.0-alpha1` and `git push --tags`. This will trigger a [Goreleaser](https://goreleaser.com/) action that will build the binaries and creates a [GitHub release](https://help.github.com/articles/creating-releases/): * The release will be marked as a draft to allow an final editing before publishing. * The release notes and other fields can edited after the action completes. The description can be in Markdown. @@ -60,6 +56,10 @@ When the release branch is ready, a tag should be pushed with a name matching th * The pre-built binaries are built from commit at the head of the release branch. * The files are named `ratify_--__` with `.zip` files for Windows and `.tar.gz` for all others. +## Post Release Activity + +After a successful release, please manually trigger [quick start action](.github/quick-start.yml) to validate the quick start test is passing. Validate in the run logs that the version of ratify matches the latest released version. + ### Weekly Dev Release #### Publishing Guidelines diff --git a/charts/ratify/Chart.yaml b/charts/ratify/Chart.yaml index a59adbdb4..086024c44 100644 --- a/charts/ratify/Chart.yaml +++ b/charts/ratify/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: ratify description: A Helm chart for Ratify -version: 1.9.0 -appVersion: v1.0.0-rc.7 +version: 1.10.0 +appVersion: v1.0.0-rc.8 home: https://github.com/deislabs/ratify diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 4484ce853..aaabcc82a 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -1,7 +1,7 @@ image: repository: ghcr.io/deislabs/ratify crdRepository: ghcr.io/deislabs/ratify-crds - tag: v1.0.0-rc.7 + tag: v1.0.0-rc.8 pullPolicy: IfNotPresent nameOverride: "" diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index 0852d9896..45d27731f 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -9,7 +9,7 @@ releases: namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.12.0 + version: 3.13.0 wait: true set: - name: enableExternalData diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index ee7535f72..44afc6b79 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -119,7 +119,7 @@ releases: value: true - name: featureFlags.RATIFY_CERT_ROTATION value: true - - name: logLevel + - name: logger.level value: debug - name: notationCert value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} diff --git a/helmfile.yaml b/helmfile.yaml index 46f568f6d..d47250efc 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -12,6 +12,8 @@ releases: version: 3.13.0 wait: true set: + - name: enableExternalData + value: true - name: validatingWebhookTimeoutSeconds value: 5 - name: mutatingWebhookTimeoutSeconds diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index 87b527f15..c3988fe5a 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -32,7 +32,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.9.0 + version: 1.10.0 # Make sure this matches Chart.yaml wait: true needs: - dapr-system/dapr From 32c23eb40b4c5f80b2ee770d4763ebef4c42f496 Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Thu, 7 Sep 2023 11:48:15 +0000 Subject: [PATCH 11/11] fix: fix azure test --- scripts/azure-ci-test.sh | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh index 204225450..0abcee5a8 100755 --- a/scripts/azure-ci-test.sh +++ b/scripts/azure-ci-test.sh @@ -49,15 +49,16 @@ build_push_to_acr() { deploy_gatekeeper() { echo "deploying gatekeeper" - helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts - helm install gatekeeper/gatekeeper \ - --version ${GATEKEEPER_VERSION} \ - --name-template=gatekeeper \ - --namespace gatekeeper-system --create-namespace \ - --set enableExternalData=true \ - --set validatingWebhookTimeoutSeconds=5 \ - --set mutatingWebhookTimeoutSeconds=2 \ - --set auditInterval=0 + make e2e-deploy-gatekeeper GATEKEEPER_VERSION=${GATEKEEPER_VERSION} GATEKEEPER_NAMESPACE="gatekeeper-system" + # helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts + # helm install gatekeeper/gatekeeper \ + # --version ${GATEKEEPER_VERSION} \ + # --name-template=gatekeeper \ + # --namespace gatekeeper-system --create-namespace \ + # --set enableExternalData=true \ + # --set validatingWebhookTimeoutSeconds=5 \ + # --set mutatingWebhookTimeoutSeconds=2 \ + # --set auditInterval=0 } deploy_ratify() {