binbin-li · binbin-li · Sep 4, 2023 · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - name: setup go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
@@ -43,7 +43,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: setup go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
@@ -74,7 +74,7 @@ jobs:
         GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"]
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Set up Go 1.20
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
@@ -134,7 +134,7 @@ jobs:
         GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"]
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Set up Go 1.20
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
@@ -168,7 +168,7 @@ jobs:
       runs-on: ubuntu-latest
       steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           submodules: recursive
       - name: Run link check
@@ -190,7 +190,7 @@ jobs:
       contents: read
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Set up Go 1.20
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # tag=3.0.2
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=3.0.2
       - name: setup go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:

@@ -16,7 +16,7 @@ jobs:
       - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:
           go-version: '1.20'
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:

@@ -28,7 +28,7 @@ jobs:
         DAPR_VERSION: ["1.11.1"]
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Set up Go 1.20
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:

@@ -12,7 +12,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - name: Publish Helm charts
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:

@@ -18,7 +18,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - name: prepare
         id: prepare
         run: |

@@ -25,7 +25,7 @@ jobs:
         KUBERNETES_VERSION: ["1.26.3"]
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: setup go environment
         uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
         with:

@@ -16,7 +16,7 @@ jobs:
       contents: write
     steps:
     - name: Checkout
-      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # tag=3.0.2
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=3.0.2
       with:
           fetch-depth: 0
 
@@ -26,7 +26,7 @@ jobs:
         go-version: '1.20'
 
     - name: Goreleaser
-      uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
+      uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
       with:
         version: '1.18.0'
         args: release --rm-dist

@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # tag=3.0.2
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=3.0.2
         with:
           persist-credentials: false
 

@@ -16,7 +16,7 @@ jobs:
       pull-requests: write
       repository-projects: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac
       - uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973
         with:
           github_token: ${{ github.token }}

@@ -12,6 +12,7 @@ by its developers, nor is it "supported" software.
 [![Go Report Card](https://goreportcard.com/badge/github.com/deislabs/ratify)](https://goreportcard.com/report/github.com/deislabs/ratify)
 [![build-pr](https://github.com/deislabs/ratify/actions/workflows/build-pr.yml/badge.svg)](https://github.com/deislabs/ratify/actions/workflows/build-pr.yml)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/deislabs/ratify/badge)](https://api.securityscorecards.dev/projects/github.com/deislabs/ratify)
+[![Go Reference](https://pkg.go.dev/badge/github.com/deislabs/ratify.svg)](https://pkg.go.dev/github.com/deislabs/ratify)
 
 ## Table of Contents
 

@@ -24,15 +24,11 @@ Example pre-release versions include `v0.1.0-alpha1`, `v0.1.0-beta2`, `v0.1.0-rc
 
 1. Most e2e-scenarios for cli, K8s, and Azure are covered by the Ratify e2e tests. Please refer to this [document](test/validation.md) for the current supported and unsupported tests. Please perform manual prerelease validations for the unsupported tests list [here](test/validation.md#unsupported-tests)
 
-2. Validate that the format of the data returned for external data calls has not changed. If it has changed update the version in `httpserver/types.go` to reflect a change in the format and document the update.
+2. If the format of the data returned for [external data calls](docs/reference/verification-result-version.md) has changed, validate change is also reflected in [`httpserver/types.go`](httpserver/types.go).
 
-3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` packages. Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`).
+3. Delete all dev images generated since the previous release under the `ratify-dev` and `ratify-crds-dev` [packages](https://github.com/orgs/deislabs/packages?repo_name=ratify). Each dev image tag is prefixed with `dev` followed by the date of creation and then the abbreviated 7 character commit SHA (e.g a build generated on March 8, 2023 from main branch with commit SHA `4cf98388ef33c587ef86b82e05cb0f7de2da2ea8` would be tagged `dev.20230308.4cf9838`).
 
-4. Copy contents from `dev.helmfile.yaml` to `helmfile.yaml` & `dev.high-availability.helmfile.yaml` to `high-availability.helmfile.yaml`. You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version.
-
-## Post Release Activity
-
-After a successful release, please manually trigger [quick start action](.github/quick-start.yml) to validate the quick start test is passing. Validate in the run logs that the version of ratify matches the latest released version.
+4. Copy contents from [`dev.helmfile.yaml`](dev.helmfile.yaml) to [`helmfile.yaml`](helmfile.yaml) & [`dev.high-availability.helmfile.yaml`](dev.high-availability.helmfile.yaml) to [`high-availability.helmfile.yaml`](high-availability.helmfile.yaml). You MUST update/remove values marked by comments in the files. The `dev` prefixed helmfiles are treated as staging files that are up to date with new changes on main branch. The primary `helmfile.yaml` and `high-availability.helmfile.yaml` MUST stay pinned to the current release since they are used by the quickstarts. Update `dev.helmfile.yaml` & `dev.high-availability.helmfile.yaml` ratify chart version to new release version.
 
 ## Git Release Flow
 
@@ -52,14 +48,18 @@ When a major release is required, the release commits should be merged with the
 
 ### Tag and Release
 
-When the release branch is ready, a tag should be pushed with a name matching the branch name, e.g. `git tag v0.1.0-alpha1` and `git push --tags`.  This will trigger a [Goreleaser](https://goreleaser.com/) action that will build the binaries and creates a [GitHub release](https://help.github.com/articles/creating-releases/):
+Prepare the release with a [PR](https://github.com/deislabs/ratify/pull/1031/files) to update the chart value. When the release branch is ready, a tag should be pushed with a name matching the branch name, e.g. `git tag v0.1.0-alpha1` and `git push --tags`.  This will trigger a [Goreleaser](https://goreleaser.com/) action that will build the binaries and creates a [GitHub release](https://help.github.com/articles/creating-releases/):
 
 * The release will be marked as a draft to allow an final editing before publishing.
 * The release notes and other fields can edited after the action completes.  The description can be in Markdown.
 * The pre-release flag will be set for any release with a pre-release specifier.
 * The pre-built binaries are built from commit at the head of the release branch.
   * The files are named `ratify_<major>-<minor>-<patch>_<OS>_<ARCH>` with `.zip` files for Windows and `.tar.gz` for all others.
 
+## Post Release Activity
+
+After a successful release, please manually trigger [quick start action](.github/quick-start.yml) to validate the quick start test is passing. Validate in the run logs that the version of ratify matches the latest released version.
+
 ### Weekly Dev Release
 
 #### Publishing Guidelines

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: ratify
 description: A Helm chart for Ratify
-version: 1.9.0
-appVersion: v1.0.0-rc.7
+version: 1.10.0
+appVersion: v1.0.0-rc.8
 home: https://github.com/deislabs/ratify
@@ -38,6 +38,14 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.healthPort }}
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: {{ .Values.healthPort }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -70,11 +78,15 @@ spec:
             - --metrics-enabled={{ .Values.instrumentation.metricsEnabled }}
             - --metrics-type={{ .Values.instrumentation.metricsType }}
             - --metrics-port={{ .Values.instrumentation.metricsPort }}
+            - --health-port=:{{ .Values.healthPort }}
           ports:
             - containerPort: 6001
             {{- if .Values.instrumentation.metricsEnabled }}
             - containerPort: {{ required "You must provide .Values.instrumentation.metricsPort" .Values.instrumentation.metricsPort }}
             {{- end }}
+            - containerPort: {{ required "You must provide .Values.healthPort"  .Values.healthPort }}
+              name: healthz
+              protocol: TCP
           volumeMounts:             
             {{- if .Values.cosign.enabled }}
             - mountPath: "/usr/local/ratify-certs/cosign"

@@ -1,7 +1,7 @@
 image:
   repository: ghcr.io/deislabs/ratify
   crdRepository: ghcr.io/deislabs/ratify-crds
-  tag: v1.0.0-rc.7
+  tag: v1.0.0-rc.8
   pullPolicy: IfNotPresent
 
 nameOverride: ""
@@ -87,6 +87,7 @@ provider:
 podAnnotations: {}
 podLabels: {}
 enableRuntimeDefaultSeccompProfile: true
+healthPort: 9099
 
 rbac:
   create: true

@@ -47,6 +47,7 @@
 	metricsEnabled    bool
 	metricsType       string
 	metricsPort       int
+	healthPort        string
 }
 
 func NewCmdServe(_ ...string) *cobra.Command {
@@ -77,6 +78,7 @@
 	flags.BoolVar(&opts.metricsEnabled, "metrics-enabled", false, "Enable metrics exporter if enabled (default: false)")
 	flags.StringVar(&opts.metricsType, "metrics-type", httpserver.DefaultMetricsType, fmt.Sprintf("Metrics exporter type to use (default: %s)", httpserver.DefaultMetricsType))
 	flags.IntVar(&opts.metricsPort, "metrics-port", httpserver.DefaultMetricsPort, fmt.Sprintf("Metrics exporter port to use (default: %d)", httpserver.DefaultMetricsPort))
+	flags.StringVar(&opts.healthPort, "health-port", httpserver.DefaultHealthPort, fmt.Sprintf("Health port to use (default: %s)", httpserver.DefaultHealthPort))
 	return cmd
 }
 
@@ -100,7 +102,7 @@
 	if opts.enableCrdManager {
 		certRotatorReady := make(chan struct{})
 		logrus.Infof("starting crd manager")
-		go manager.StartManager(certRotatorReady)
+		go manager.StartManager(certRotatorReady, opts.healthPort)
 		manager.StartServer(opts.httpServerAddress, opts.configFilePath, opts.certDirectory, opts.caCertFile, opts.cacheTTL, opts.metricsEnabled, opts.metricsType, opts.metricsPort, certRotatorReady)
 
 		return nil

@@ -9,7 +9,7 @@ releases:
     namespace: gatekeeper-system
     createNamespace: true
     chart: gatekeeper/gatekeeper
-    version: 3.12.0
+    version: 3.13.0
     wait: true
     set:
       - name: enableExternalData

@@ -119,7 +119,7 @@ releases:
         value: true
       - name: featureFlags.RATIFY_CERT_ROTATION
         value: true
-      - name: logLevel
+      - name: logger.level
         value: debug
       - name: notationCert
         value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }}

@@ -127,7 +127,9 @@ Configure user-assigned managed identity and enable `AcrPull` role to the worklo
     --object-id ${IDENTITY_OBJECT_ID}
     ```
 
-## Deploy Gatekeeper and Ratify on AKS 
+## Deploy Gatekeeper and Ratify on AKS
+run `az aks show -g "${GROUP_NAME}" -n "${AKS_NAME}" --query addonProfiles.azurepolicy` to verify if the AKS cluster has azure policy addon enabled, learn more at [use azure policy](https://learn.microsoft.com/en-us/azure/aks/use-azure-policy)
+### When Azure Policy Addon is not enabled
 
 1. Deploy Gatekeeper from helm chart:
 
@@ -152,6 +154,7 @@ Configure user-assigned managed identity and enable `AcrPull` role to the worklo
     helm install ratify \
         ./charts/ratify --atomic \
         --namespace ${RATIFY_NAMESPACE} --create-namespace \
+        --set featureFlags.RATIFY_CERT_ROTATION=true \
         --set akvCertConfig.enabled=true \
         --set akvCertConfig.vaultURI=${VAULT_URI} \
         --set akvCertConfig.cert1Name=${KEY_NAME} \
@@ -166,6 +169,45 @@ Configure user-assigned managed identity and enable `AcrPull` role to the worklo
     kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml
     kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml
     ```
+### When Azure Policy Addon is enabled on AKS
+1. Ensure your AKS cluster is 1.26+
+2. `az feature register -n AKS-AzurePolicyExternalData --namespace Microsoft.ContainerService`
+3. Install Ratify on AKS from helm chart:
+
+    ```bash
+    # Add a Helm repo
+    helm repo add ratify https://deislabs.github.io/ratify
+    helm repo update
+
+    # Install Ratify
+    helm install ratify \
+        ./charts/ratify --atomic \
+        --namespace gatekeeper-system --create-namespace \
+        --set provider.enableMutation=false \
+        --set featureFlags.RATIFY_CERT_ROTATION=true \
+        --set akvCertConfig.enabled=true \
+        --set akvCertConfig.vaultURI=${VAULT_URI} \
+        --set akvCertConfig.cert1Name=${KEY_NAME} \
+        --set akvCertConfig.tenantId=${TENANT_ID} \
+        --set oras.authProviders.azureWorkloadIdentityEnabled=true \
+        --set azureWorkloadIdentity.clientId=${IDENTITY_CLIENT_ID}
+    ```
+
+4. Create and assign azure policy on your cluster:
+
+    ```bash
+    custom_policy=$(curl -L https://deislabs.github.io/ratify/library/default/customazurepolicy.yaml)
+    definition_name="ratify-default-custom-policy"
+    scope=$(az aks show -g "${GROUP_NAME}" -n "${AKS_NAME}" --query id -o tsv)
+
+    definition_id=$(az policy definition create --name "${definition_name}" --rules "$(echo "${custom_policy}" | jq .policyRule)" --params "$(echo "${custom_policy}" | jq .parameters)" --mode "Microsoft.Kubernetes.Data" --query id -o tsv)
+
+    assignment_id=$(az policy assignment create --policy "${definition_id}" --name "${definition_name}" --scope "${scope}" --query id -o tsv)
+
+    echo "Please wait policy assignmet with id ${assignment_id} taking effect"
+    echo "It often requires 15 min"
+    echo "You can run 'kubectl get constraintTemplate ratifyverification' to verify the policy takes effect"
+    ```
 
 ## Deploy two sample image to AKS cluster