feat: additional env vars for ratify container via helm chart

Signed-off-by: Maneesh Singh <[email protected]>

.github/workflows/codeql.yml

@@ -37,12 +37,12 @@ jobs:
         with:
           go-version: "1.22"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
+        uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
         with:
           languages: go
       - name: Run tidy
         run: go mod tidy
       - name: Build CLI
         run: make build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
+        uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13

.github/workflows/e2e-aks.yml

@@ -64,7 +64,7 @@ jobs:
           make e2e-aks KUBERNETES_VERSION=${{ inputs.k8s_version }} GATEKEEPER_VERSION=${{ inputs.gatekeeper_version }} TENANT_ID=${{ secrets.AZURE_TENANT_ID }} AZURE_SP_OBJECT_ID=${{ secrets.AZURE_SP_OBJECT_ID }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ always() }}
         with:
           name: e2e-logs-aks-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}

.github/workflows/e2e-k8s.yml

@@ -65,7 +65,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-${{ matrix.GATEKEEPER_VERSION }}-rego-policy.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ inputs.k8s_version }}-${{ inputs.gatekeeper_version }}

.github/workflows/high-availability.yml

@@ -60,7 +60,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.DAPR_VERSION }}.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.DAPR_VERSION }}.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ matrix.DAPR_VERSION }}

.github/workflows/quick-start.yml

@@ -59,7 +59,7 @@ jobs:
           kubectl logs -n gatekeeper-system -l app=ratify --tail=-1 > logs-ratify-preinstall-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
           kubectl logs -n gatekeeper-system -l app.kubernetes.io/name=ratify --tail=-1 > logs-ratify-${{ matrix.KUBERNETES_VERSION }}-config-policy.json
       - name: Upload artifacts
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ always() }}
         with:
           name: e2e-logs-${{ matrix.KUBERNETES_VERSION }}

.github/workflows/release.yml

@@ -49,7 +49,7 @@ jobs:
           $RUNNER_TEMP/sbom-tool generate -b . -bc . -pn ratify -pv $GITHUB_REF_NAME -ps Microsoft -nsb https://microsoft.com -V Verbose
 
       - name: Upload a Build Artifact
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # tag=v4.4.1
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
         with:
           name: SBOM SPDX files
           path: _manifest/spdx_2.2/**

.github/workflows/scorecards.yml

@@ -48,13 +48,13 @@ jobs:
           publish_results: true
 
       - name: "Upload artifact"
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # tag=v4.4.1
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # tag=v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # tag=v3.26.12
+        uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # tag=v3.26.13
         with:
           sarif_file: results.sarif

charts/ratify/README.md

@@ -47,6 +47,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
 | replicaCount                                       | The number of Ratify replicas in deployment                                                                                                                                                                                                                                                                                                                            | 1                                 |
 | affinity                                           | Pod affinity for the Ratify deployment                                                                                                                                                                                                                                                                                                                                 | `{}`                              |
 | tolerations                                        | Pod tolerations for the Ratify deployment                                                                                                                                                                                                                                                                                                                              | `[]`                              |
+| env                                                | Environment variables for Ratify container                                                                                                                                                                                                                                                                                                                             | `[]`                              |
 | notationCerts                                      | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier                                                                                                                                                                                                                                                             | ``                                |
 | cosignKeys                                         | An array of public keys used to create inline key management providers used by Cosign verifier                                                                                                                                                                                                                                                                         | `[]`                              |
 | notation.enabled                                   | Enables/disables the built-in notation verifier. MUST be set to true for notation verification.                                                                                                                                                                                                                                                                        | `true`                            |

charts/ratify/templates/deployment.yaml

@@ -110,6 +110,9 @@ spec:
               readOnly: true
             {{- end }}
           env:
+          {{- with .Values.env }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           {{- if .Values.logger.level }}
             - name: RATIFY_LOG_LEVEL
               value: {{ .Values.logger.level }}

charts/ratify/values.yaml

@@ -169,4 +169,9 @@ akvCertConfig: # DEPRECATED: Use azurekeyvault instead
   cert2Name: # DEPRECATED: Use azurekeyvault.certificates instead
   cert2Version: # DEPRECATED: Use azurekeyvault.certificates instead
   certificates: # DEPRECATED: Use azurekeyvault.certificates instead
-  tenantId: # DEPRECATED: Use azurekeyvault.tenantId instead
+  tenantId: # DEPRECATED: Use azurekeyvault.tenantId instead
+
+# env: environment variables for ratify container
+env: []
+#  - name: https_proxy
+#    value: http://proxy-server:80

httpserver/Dockerfile

@@ -11,7 +11,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM golang:1.22@sha256:628529a29f130a8ab336b994be99d134ce98cd23b8f2052d8995678681e97ca2 as builder
+FROM --platform=$BUILDPLATFORM golang:1.22@sha256:b274ff14d8eb9309b61b1a45333bf0559a554ebcf6732fa2012dbed9b01ea56f as builder
 
 ARG TARGETPLATFORM
 ARG TARGETOS