Merge pull request #1388 from deislabs/staging

feat: merge from `staging` to `main`
ratify-project · Apr 16, 2024 · 6a5f10c · 6a5f10c
2 parents 6daec5d + 7c75d59
commit 6a5f10c
Show file tree

Hide file tree

Showing 54 changed files with 1,742 additions and 670 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -5,10 +5,12 @@ on:
   push:
     branches: 
       - main
+      - staging
       - 1.0.0*
   pull_request:
     branches: 
       - main
+      - staging
       - 1.0.0*
   schedule:
     - cron: '30 1 * * 0'

diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
@@ -36,7 +36,7 @@ jobs:
       - name: Check build
         run: bin/ratify version
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
+        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       - name: Run helm lint
@@ -64,7 +64,7 @@ jobs:
           make install ratify-config install-bats
           make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
+        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   markdown-link-check:

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+      - staging
       - 1.0.0*
   pull_request:
   workflow_dispatch:

diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml
@@ -6,11 +6,13 @@ on:
   pull_request:
     branches:
       - main
+      - staging
       - 1.0.0*
   push:
     branches:
       - 1.0.0*
       - main
+      - staging
   workflow_dispatch:
 
 permissions: read-all

diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml
@@ -6,10 +6,12 @@ on:
   pull_request:
     branches:
       - main
+      - staging
       - 1.0.0*
   push:
     branches:
       - 1.0.0*
+      - staging
       - main
   workflow_dispatch:
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -5,7 +5,9 @@ on:
     # Weekly on Saturdays.
     - cron: '30 1 * * 6'
   push:
-    branches: [ main ]
+    branches:
+      - main
+      - staging
   workflow_dispatch:
 
 permissions: read-all

diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -12,15 +12,15 @@
       "program": "${workspaceFolder}/cmd/ratify",
       "env": {
         "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
-        "RATIFY_LOG_LEVEL": "debug",
+        "RATIFY_LOG_LEVEL": "debug"
       },
       "args": [
         "verify",
         "-s",
         "${input:subject}",
         "-c",
-        "${input:configPath}",
-      ],
+        "${input:configPath}"
+      ]
     },
     {
       "name": "Serve",
@@ -35,10 +35,9 @@
         "serve",
         "--http",
         ":6001"
-      ],
+      ]
     },
     {
-      // This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed
       "name": "Serve w/ CRD manager",
       "type": "go",
       "request": "launch",
@@ -47,18 +46,19 @@
       "env": {
         "RATIFY_LOG_LEVEL": "debug",
         "RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
-        "RATIFY_NAMESPACE": "gatekeeper-system",
+        "RATIFY_NAMESPACE": "gatekeeper-system"
       },
       "args": [
         "serve",
         "--enable-crd-manager",
         "--http",
         ":6001"
-      ],
+      ]
     },
     {
       // This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed
-      // This requires you to have generated tls.crt and tls.key and placed them in a single directory
+      // This requires you to have generated server TLS certs: tls.crt, tls.key, ca.crt, ca.key and placed them in a single directory
+      // This requires you to have a client CA cert (Gatekeeper CA cert) to verify the client cert
       "name": "Serve w/ CRD manager and TLS enabled",
       "type": "go",
       "request": "launch",
@@ -73,8 +73,9 @@
         "--enable-crd-manager",
         "--http",
         ":6001",
-        "--cert-dir=${input:tlsDir}"
-      ],
+        "--cert-dir=${input:tlsDir}",
+        "--ca-cert-file=${input:clientCACert}",
+      ]
     },
     {
       "name": "Debug SBOM Plugin",
@@ -87,7 +88,7 @@
         "RATIFY_LOG_LEVEL": "debug",
         "RATIFY_VERIFIER_COMMAND": "VERIFY",
         "RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/image:sbom",
-        "RATIFY_VERIFIER_VERSION": "1.0.0",
+        "RATIFY_VERIFIER_VERSION": "1.0.0"
       },
       "console": "integratedTerminal"
     }
@@ -111,5 +112,11 @@
       "description": "Absolute path to tls cert and key directory",
       "default": "${workspaceFolder}/tls/certs"
     },
+    {
+      "id": "clientCACert",
+      "type": "promptString",
+      "description": "Absolute path to client CA cert (Gatekeeper CA cert)",
+      "default": "${workspaceFolder}/client-ca-cert/ca.crt"
+    }
   ]
 }
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -269,19 +269,25 @@ Gatekeeper requires TLS for external data provider interactions. As such ratify
     helm install ratify \
       ./charts/ratify --atomic \
       --namespace gatekeeper-system \
-      --set-file notationCert=./test/testdata/notation.crt \
+      --set logger.level=debug \
+      --set-file notationCerts[0]=./test/testdata/notation.crt \
       --set-file provider.tls.crt=./tls/certs/tls.crt \
       --set-file provider.tls.key=./tls/certs/tls.key \
-      --set-file provider.tls.cabundle=./tls/certs/ca.crt
+      --set-file provider.tls.cabundle="$(cat ./tls/certs/ca.crt | base64 | tr -d '\n\r')" \
+      --set-file provider.tls.caCert=./tls/certs/ca.crt \
+      --set-file provider.tls.caKey=./tls/certs/ca.key
     ```
+Update the `KubernetesLocalProcessConfig.yaml` with updated directory/file paths:
+- In the file, set the `<INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the Azure Workload Identity JWT token. 
+- In the file, set the `<INSERT CLIENT CA CERT LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the `client-ca-cert` volume (Gatekeeper's `ca.crt`). 
 
 Configure Bridge to Kubernetes (Comprehensive guide [here](https://learn.microsoft.com/en-us/visualstudio/bridge/bridge-to-kubernetes-vs-code))
 1. Open the `Command Palette` in VSCode `CTRL-SHIFT-P`
-1. Select `Bridge to Kubernetes: Configure`
-1. Select `Ratify` from the list as the service to redirect to
-1. Set port to be 6001
-1. Select `Serve w/ CRD manager and TLS enabled` as the launch config
-1. Select 'No' for request isolation
+2. Select `Bridge to Kubernetes: Configure`
+3. Select `Ratify` from the list as the service to redirect to
+4. Set port to be 6001
+5. Select `Serve w/ CRD manager and TLS enabled` as the launch config
+6. Select 'No' for request isolation
 
 This should automatically append a new Bridge to Kubernetes configuration to the launch.json file and add a new tasks.json file. 
 

diff --git a/KubernetesLocalProcessConfig.yaml b/KubernetesLocalProcessConfig.yaml
@@ -0,0 +1,15 @@
+version: 0.1
+env:
+  - name: azure-identity-token # REMOVE if not using Azure Workload Identity
+    value:  $(volumeMounts:azure-identity-token) # REMOVE if not using Azure Workload Identity
+  - name: client-ca-cert
+    value: $(volumeMounts:client-ca-cert)
+  - name: AZURE_FEDERATED_TOKEN_FILE # REMOVE if not using Azure Workload Identity
+    value: <INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>/azure-identity-token # REMOVE if not using Azure Workload Identity
+  - name: RATIFY_NAMESPACE
+    value: gatekeeper-system
+volumeMounts:
+  - name: client-ca-cert
+    localPath: <INSERT CLIENT CA CERT LOCAL PATH>
+  - name: azure-identity-token # REMOVE if not using Azure Workload Identity
+    localPath: <INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH> # REMOVE if not using Azure Workload Identity
diff --git a/RELEASES.md b/RELEASES.md
@@ -88,6 +88,6 @@ helm install ratify \
     --set image.repository=ghcr.io/deislabs/ratify-dev
     --set image.crdRepository=ghcr.io/deislabs/ratify-crds-dev
     --set image.tag=dev.<YYYYMMDD>.<ABBREVIATED_GIT_HASH_COMMIT>
-    --set-file notationCert=./test/testdata/notation.crt
+    --set-file notationCerts[0]=./test/testdata/notation.crt
 ```
 NOTE: the tag field is the only value that will change when updating to newer dev build images
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,7 @@ on: @@
       push:
         branches:
           - main
+          - staging
           - 1.0.0*
       pull_request:
       workflow_dispatch:
@@ Expand Down @@