Skip to content

Commit

Permalink
Merge pull request #1780 from ratify-project/dev
Browse files Browse the repository at this point in the history
  • Loading branch information
@binbin-li
binbin-li authored Sep 10, 2024
2 parents 603cb58 + ab8d001 commit 98dd1d9
Show file tree
Hide file tree
Showing 46 changed files with 743 additions and 202 deletions.
2 changes: 1 addition & 1 deletion .devcontainer/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ RUN curl -Lo bats.tar.gz https://github.com/bats-core/bats-core/archive/v${BATS_
&& bash ./bats-core-${BATS_VERSION}/install.sh /usr/local \
&& rm -rf bats.tar.gz ./bats-core-${BATS_VERSION}

ARG NOTATION_VERSION="1.0.0-rc.1"
ARG NOTATION_VERSION="1.2.0"
RUN curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v${NOTATION_VERSION}/notation_${NOTATION_VERSION}_linux_amd64.tar.gz \
&& tar -zxf notation.tar.gz \
&& mv ./notation /usr/local/bin/notation \
Expand Down
2 changes: 1 addition & 1 deletion .github/licenserc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ header:
limitations under the License.
paths-ignore:
- "**/*.{md,svg,yaml,crt,json,pub,yml,pb.go,proto}"
- "**/*.{md,svg,yaml,crt,cer,json,pub,yml,pb.go,proto}"
- "CODEOWNERS"
- "PROJECT"
- "NOTICE"
Expand Down
13 changes: 11 additions & 2 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ KIND_KUBERNETES_VERSION ?= 1.29.2
GATEKEEPER_VERSION ?= 3.16.0
DAPR_VERSION ?= 1.12.5
COSIGN_VERSION ?= 2.2.3
NOTATION_VERSION ?= 1.1.0
NOTATION_VERSION ?= 1.2.0
ORAS_VERSION ?= 1.1.0

HELM_VERSION ?= 3.14.2
Expand All @@ -56,6 +56,8 @@ TRIVY_VERSION ?= 0.49.1
GATEKEEPER_NAMESPACE = gatekeeper-system
RATIFY_NAME = ratify

TIMESTAMP_URL = http://timestamp.digicert.com

# Local Registry Setup
LOCAL_REGISTRY_IMAGE ?= ghcr.io/project-zot/zot-linux-amd64:v2.0.2
TEST_REGISTRY = localhost:5000
Expand Down Expand Up @@ -98,6 +100,7 @@ install:
ratify-config:
cp ./test/bats/tests/config/* ${INSTALL_DIR}
cp ./test/bats/tests/certificates/wabbit-networks.io.crt ${INSTALL_DIR}/ratify-certs/notation/wabbit-networks.io.crt
cp ./test/bats/tests/certificates/tsarootca.cer ${INSTALL_DIR}/ratify-certs/notation/tsarootca.cer
cp ./test/bats/tests/certificates/cosign.pub ${INSTALL_DIR}/ratify-certs/cosign/cosign.pub
cp -r ./test/bats/tests/schemas/ ${INSTALL_DIR}

Expand Down Expand Up @@ -295,10 +298,16 @@ e2e-notation-setup:
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/notation/notation.tar:v0 ${TEST_REGISTRY}/notation:unsigned
rm .staging/notation/notation.tar

printf 'FROM ${ALPINE_IMAGE}\nCMD ["echo", "notation tsa signed image"]' > .staging/notation/Dockerfile
docker buildx create --use
docker buildx build --output type=oci,dest=.staging/notation/notation.tar -t notation:v0 .staging/notation
${GITHUB_WORKSPACE}/bin/oras cp --from-oci-layout .staging/notation/notation.tar:v0 ${TEST_REGISTRY}/notation:tsa
rm .staging/notation/notation.tar

rm -rf ~/.config/notation
.staging/notation/notation cert generate-test --default "ratify-bats-test"

NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign --allow-referrers-api -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:signed --descriptor | jq .digest | xargs`
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign --timestamp-url ${TIMESTAMP_URL} --timestamp-root-cert ./test/bats/tests/certificates/tsarootca.cer --allow-referrers-api -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/notation@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/notation:tsa --descriptor | jq .digest | xargs`
NOTATION_EXPERIMENTAL=1 .staging/notation/notation sign --allow-referrers-api -u ${TEST_REGISTRY_USERNAME} -p ${TEST_REGISTRY_PASSWORD} ${TEST_REGISTRY}/all@`${GITHUB_WORKSPACE}/bin/oras manifest fetch ${TEST_REGISTRY}/all:v0 --descriptor | jq .digest | xargs`

e2e-notation-leaf-cert-setup:
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Is a verification engine as a binary executable and on Kubernetes which enables
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ratify-project/ratify/badge)](https://api.securityscorecards.dev/projects/github.com/ratify-project/ratify)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9334/badge)](https://www.bestpractices.dev/projects/9334)
[![Go Reference](https://pkg.go.dev/badge/github.com/deislabs/ratify.svg)](https://pkg.go.dev/github.com/deislabs/ratify)
[![codecov](https://codecov.io/gh/ratify-project/ratify/graph/badge.svg?token=3X0BIPI4VD)](https://codecov.io/gh/ratify-project/ratify)

## Table of Contents

Expand Down
4 changes: 3 additions & 1 deletion charts/ratify/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| tolerations | Pod tolerations for the Ratify deployment | `[]` |
| notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` |
| cosignKeys | An array of public keys used to create inline key management providers used by Cosign verifier | `[]` |
| notation.enabled | Enables/disables the built-in notation verifier. MUST be set to true for notation verification. | `true` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` |
| cosign.rekorURL | URL string reference to remote rekor server. If not specified, implementation will default to use Rekor public good instance `https://rekor.sigstore.dev`. | `` |
Expand Down Expand Up @@ -135,7 +136,8 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| azurekeyvault.vaultURI | Vault URI for Azure Key Vault | `` |
| azurekeyvault.tenantId | Tenant ID of the configured Azure Key Vault resource | `` |
| azurekeyvault.certificates | An array of certificate objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.refreshInterval | time duration to refresh the certificates/keys. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Example: 1h, 30m, 1h30m. If it's not set, the refresh functionality will be disabled. | `` |
| notationCert | **DEPRECATED** Please switch to `notationCerts` to specify an array of verification certificates. Public certificate/certificate chain used to create inline certstore used by Notation verifier. | `` |
| akvCertConfig.enabled | **DEPRECATED** Please use `azurekeyvault.enabled` instead. Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | **DEPRECATED** Please use `azurekeyvault.vaultURI` instead. Vault URI for AKV configured | `` |
Expand Down
3 changes: 3 additions & 0 deletions charts/ratify/templates/akv-key-management-provider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ metadata:
helm.sh/hook-weight: "5"
spec:
type: azurekeyvault
{{- if .Values.azurekeyvault.refreshInterval }}
refreshInterval: {{ .Values.azurekeyvault.refreshInterval }}
{{- end }}
parameters:
{{- if .Values.azurekeyvault.vaultURI }}
vaultURI: {{ .Values.azurekeyvault.vaultURI }}
Expand Down
1 change: 1 addition & 0 deletions charts/ratify/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ azurekeyvault:
tenantId:
certificates: []
keys: []
refreshInterval:

oras:
useHttp: false
Expand Down
4 changes: 2 additions & 2 deletions cmd/ratify/cmd/cmd_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ func TestVerify(t *testing.T) {

// TODO: make ratify cli more unit testable
// unit test should not have dependency for real image
if !strings.Contains(err.Error(), "plugin not found") {
t.Errorf("error expected")
if !strings.Contains(err.Error(), "PLUGIN_NOT_FOUND") {
t.Fatalf("expected containing: %s, but got: %s", "PLUGIN_NOT_FOUND", err.Error())
}
}

Expand Down
11 changes: 6 additions & 5 deletions config/samples/clustered/verifier/config_v1beta1_verifier_notation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- ratify-notation-inline-cert-0
trustPolicyDoc:
verificationCertStores:
ca:
ca-certs:
- ratify-notation-inline-cert-0
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
Expand All @@ -18,6 +19,6 @@ spec:
signatureVerification:
level: strict
trustStores:
- ca:certs
- ca:ca-certs
trustedIdentities:
- "*"
9 changes: 4 additions & 5 deletions config/samples/clustered/verifier/config_v1beta1_verifier_notation_kmprovider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,9 @@ spec:
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- kmprovider-akv
certs1:
- kmprovider-akv1
ca:
ca-certs:
- kmprovider-akv
trustPolicyDoc:
version: "1.0"
trustPolicies:
Expand All @@ -20,6 +19,6 @@ spec:
signatureVerification:
level: strict
trustStores:
- ca:certs
- ca:ca-certs
trustedIdentities:
- "*"
11 changes: 6 additions & 5 deletions config/samples/clustered/verifier/config_v1beta1_verifier_notation_specificnskmprovider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- default/ratify-notation-inline-cert-0
trustPolicyDoc:
verificationCertStores:
ca:
ca-certs:
- default/ratify-notation-inline-cert-0
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
Expand All @@ -18,6 +19,6 @@ spec:
signatureVerification:
level: strict
trustStores:
- ca:certs
- ca:ca-certs
trustedIdentities:
- "*"
11 changes: 6 additions & 5 deletions config/samples/namespaced/verifier/config_v1beta1_verifier_notation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- default/ratify-notation-inline-cert-0
trustPolicyDoc:
verificationCertStores:
ca:
ca-certs:
- default/ratify-notation-inline-cert-0
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
Expand All @@ -18,6 +19,6 @@ spec:
signatureVerification:
level: strict
trustStores:
- ca:certs
- ca:ca-certs
trustedIdentities:
- "*"
9 changes: 4 additions & 5 deletions config/samples/namespaced/verifier/config_v1beta1_verifier_notation_kmprovider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,9 @@ spec:
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- kmprovider-akv
certs1:
- kmprovider-akv1
ca:
ca-certs:
- kmprovider-akv
trustPolicyDoc:
version: "1.0"
trustPolicies:
Expand All @@ -20,6 +19,6 @@ spec:
signatureVerification:
level: strict
trustStores:
- ca:certs
- ca:ca-certs
trustedIdentities:
- "*"
11 changes: 6 additions & 5 deletions ...ig/samples/namespaced/verifier/config_v1beta1_verifier_notation_specificnskmprovider.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ spec:
name: notation
artifactTypes: application/vnd.cncf.notary.signature
parameters:
verificationCertStores:
certs:
- default/ratify-notation-inline-cert-0
trustPolicyDoc:
verificationCertStores:
ca:
ca-certs:
- default/ratify-notation-inline-cert-0
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
Expand All @@ -18,6 +19,6 @@ spec:
signatureVerification:
level: strict
trustStores:
- ca:certs
- ca:ca-certs
trustedIdentities:
- "*"
2 changes: 1 addition & 1 deletion crd.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.

FROM alpine@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 as builder
FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d as builder

ARG TARGETOS
ARG TARGETARCH
Expand Down
Loading

0 comments on commit 98dd1d9

Please sign in to comment.